b' QUALITY CONTROL REVIEW OF THE\nDEPARTMENT\xe2\x80\x99S IMPLEMENTATION OF\n EARNED VALUE MANAGEMENT AND\n   SECURITY COST REPORTING\n      Department of Transportation\n\n\n      Report Number: QC-2009-048\n       Date Issued: April 24, 2009\n\x0c           U.S. Department of\n                                                            Memorandum\n           Transportation\n           Office of the Secretary\n           of Transportation\n           Office of Inspector General\n\n\nSubject:   ACTION: Report on Quality Control Review of                              Date:    April 24, 2009\n           the Department\xe2\x80\x99s Implementation of Earned\n           Value Management and Security Cost Reporting\n           Report Number: QC-2009-048\n  From:    Rebecca C. Leng                                                       Reply to\n                                                                                 Attn. of:   JA-20\n           Assistant Inspector General for Financial\n            and Technology Audits\n    To:    Acting Chief Information Officer, DOT\n\n           This report summarizes the results of the audit of the Department of\n           Transportation\xe2\x80\x99s implementation of earned value management (EVM), and the\n           supportability of estimated security costs for major information technology (IT)\n           investments. 1 The Department requested about $2.4 billion for 46 major IT\n           investments in its Fiscal Year 2009 budget submission, including about $116\n           million in security funding.\n\n           The Clinger-Cohen Act of 1996 requires Federal agencies to establish effective\n           management structures to govern IT investments and to improve their\n           implementation and management. The Office of Management and Budget (OMB)\n           developed Federal policy for planning, budgeting, acquiring, and managing\n           Federal IT assets. In addition, OMB\xe2\x80\x99s Capital Programming Guide directs\n           agencies to develop, implement, and use a capital programming process that (1)\n           fully implements EVM 2 for IT projects, with emphasis on those designated as\n           high-risk; (2) integrates IT security into their strategic and operational planning\n           processes; (3) institutes performance measures and management processes that\n           monitor actual performance and compares them against planned results; and (4)\n           provides senior agency management and OMB with a Capital Asset Plan and\n\n\n           1\n             A major IT investment is one that requires special management attention because of its importance to an\n             agency\xe2\x80\x99s mission or the magnitude of the investment.\n           2\n             Earned value management is a management tool that is used to plan, execute, and control the costs and\n             schedules of IT projects.\n\x0c                                                                                              2\n\n\n\nBusiness Case (Exhibit 300) that documents the justification, management\noversight practice, and status for each major IT investment. 3\n\nOMB requires agencies to employ EVM to calculate cost and schedule variances\nfrom the approved baseline for all major IT investments in the development phase\nappearing on Exhibit 300s. When properly implemented, EVM provides insight\non program performance by comparing the value of work accomplished in a given\nperiod against the planned value of work scheduled for that period.\n\nAn independent firm\xe2\x80\x94KPMG, LLP, of Washington, D.C.\xe2\x80\x94carried out this\nperformance audit under contract to the Office of Inspector General (OIG). The\nobjectives were to determine whether (1) the earned value management measures\nincluded in the OMB Exhibit 300 submissions properly reflected project\nperformance, and (2) security costs included in the submissions were supported.\n\nKPMG\xe2\x80\x99s report can be found in its entirety in Appendix A. KPMG\xe2\x80\x99s scope and\nmethodology and review results are included in Appendix A, starting on pages 15\nand 18, respectively. We performed a quality control review of the audit work to\nensure that it complied with generally accepted government auditing standards as\nprescribed by the Comptroller General of the United States. In our opinion,\nKPMG\xe2\x80\x99s audit work complied with applicable standards.\n\nThe following summarizes KPMG\xe2\x80\x99s findings.\n\n\nFINDINGS\nKPMG concluded that the EVM measures included in Exhibit 300 submissions\ncould not be relied upon to properly reflect project performance. KPMG found\nthat the Department lacked a standard approach for implementing EVM systems\nbecause the implementation guide specified in the departmental policy was never\nissued. KPMG reviewed six major investment projects and found them deficient\nin meeting the requirements specified by OMB. For example, EVM requirements\nwere not specified in acquisition contracts, and certification reviews of contractor\nsystems used to compile EVM data were not conducted, as required by OMB.\n\nFurther, KPMG concluded that the Department had no assurance that the security\ncost estimates included in the budget submission were adequate to protect its\ninformation systems. The Department has not established a standard method to\n3\n    OMB Circular A-11 (section 300) and OMB\xe2\x80\x99s Capital Programming Guide (supplement to Part 7 of\n    Circular A-11).\n\x0c                                                                                                     3\n\n\n\naccurately and consistently estimate the costs of implementing IT security.\nAccording to the Operating Administrations, they estimate security funding needs\nthrough historical cost data, yet they were unable to provide support or\njustification for their security cost figures.\n\n\nDepartmental EVM Policy and Implementation Guide Are\nIncomplete, Leaving the Department without a Roadmap to\nGuide Proper EVM Implementation\n\nPer OMB, agencies were to develop a comprehensive EVM policy no later than\nDecember 31, 2005. In January 2008, DOT issued its EVM policy. 4 The policy\ncontained pre-established dollar thresholds mandating at what levels of\nexpenditure IT projects must implement EVM, as well as general guidance for\nimplementing an earned value management system (EVMS). Yet specific\nimplementation guidance to ensure consistent and reliable EVM implementation\nacross the Operating Administrations was lacking.5 For example, guidance is\nneeded for:\n\n\xef\x83\x98       Provisions for EVM training to ensure that program office staff and\n        contractor personnel are properly trained on the analysis of generated\n        earned value data.\n\n\xef\x83\x98       Integration of EVM practices with portfolio management to ensure that\n        EVM data are used in capital planning and investment control decisions.\n\n\xef\x83\x98       Standards to capture project scope/work assignments and use of standard\n        work breakdown structure (WBS) to ensure that large projects are properly\n        broken down into smaller components for compiling EVM data. This\n        allows a program manager to more precisely identify which components are\n        causing cost overruns or schedule delays, and more effectively mitigate\n        their root causes.\n\n\xef\x83\x98       Enforcement of joint government/contractor consultation with respect to the\n        Integrated Baseline Review to support cost and schedule rebaselining. This\n        ensures that integrated baseline reviews are conducted regularly and with\n        proper personnel to adjust cost, schedule, and performance goals.\n\n4\n  A memorandum jointly issued by the departmental Chief Information Officer, Chief Financial Officer,\n  and the Deputy Chief Acquisition Officer entitled DOT Earned Value Management Policy, January 14,\n  2008.\n5\n  In the absence of Departmentwide implementation guidance, the Federal Aviation Administration and the\n  Federal Motor Carrier Safety Administration developed EVM implementation guidance for their own use.\n\x0c                                                                                                      4\n\n\n\n\xef\x83\x98          Protection of EVM data from unauthorized changes. It should describe any\n           templates, tools, and systems utilized and controls needed to ensure that\n           data are collected consistently and protected from unauthorized changes.\n\nThe Department had planned to complete the draft EVM implementation guide by\nMarch 31, 2008. However, according to the former Chief Information Officer, a\nlack of dedicated resources impeded the planned action. The Department has not\nestablished a revised target date for completing the implementation guide. Until\nthis guide is developed and disseminated across the Department, the Operating\nAdministrations will lack a roadmap for full and consistent EVM implementation\nas intended by OMB to ensure the integrity and reliability of EVM data.\n\n\nOperating Administrations Did Not Meet OMB Requirements for\nEVM Implementation, Rendering EVM Data Unreliable in\nMeasuring Project Performance\n\nTo ensure reliable EVM implementation for major IT investment projects, OMB\nrequires agencies to (1) include EVM requirements in acquisition contract\nprovisions, (2) conduct EVM certification and surveillance reviews, 6 (3) use work\nbreakdown structure for work decomposition, and (4) conduct performance\nreviews using EVM data. KPMG selected a judgmental sample of six major IT\ninvestments, with a total life-cycle value of $4.2 billion. These investment\nprojects are managed by three Operating Administrations\xe2\x80\x94the Federal Aviation\nAdministration (FAA), the Federal Motor Carrier Safety Administration\n(FMCSA), and the Pipeline and Hazardous Materials Safety Administration\n(PHMSA).\n\nAs shown in Table 1 below, KPMG found that Operating Administrations did not\nconsistently meet OMB requirements when implementing EVM for these major\ninvestments. Specifically, the six sampled major IT investments were deficient in\nperforming one or more of the four required key EVM components. As a result,\nthe Department has no assurance that the EVM data used to measure the cost,\nschedule, and performance of these investments properly and realistically reflect\naccurate project performance.\n\n\n\n\n6\n    These reviews are required to ensure that the system used to compile EVM data meets OMB requirements\n    and can be relied upon for measuring program performance.\n\x0c                                                                                                5\n\n\n\n            Table 1. Extent to Which Sample Investments Met\n                        OMB EVM Requirements\n                                               Planning                          Controlling\n                              Standard\n    Operating                   EVMS            EVMS            WBS for             EVMS\n    Administration            Language         System            Major            Contractor\n    Major IT                 Included in     Certification    Investments        Surveillance\n    Investments a            Contracts?      Performed?          Used?           Performed?\n\n    FAA\xe2\x80\x94TAMR                     Yes              No               Yes                Yes\n\n    FAA\xe2\x80\x94ASOS/AWOS                 No              No               Yes                Yes\n\n    FAA\xe2\x80\x94ATOP                      No              Yes              Yes                No\n\n    FAA\xe2\x80\x94ATM/TFM                  Yes              Yes              Yes                No\n\n    PHMSA\xe2\x80\x94SMART                   No              No                No                No\n    FMCSA\xe2\x80\x94\n    Modernization                 No              No               Yes                No\na\n    For full names of Operating Administrations and their IT systems, see Tables 2 and 3 on pages\n    15 and 16 (Appendix A), respectively.\n\n\n\nThe Department Had No Assurance That Security Cost\nEstimates Included in Its Budget Submission Were Adequate To\nProtect Its Information Systems\n\nNational Institute of Standards and Technology Special Publication 800-65,\nIntegrating IT Security into the Capital Planning and Investment Control Process,\ndirects agencies to estimate security costs based on a process that identifies,\nprioritizes, and corrects security weaknesses identified with their computer\nsystems. KPMG found that the Department had not established guidance or\npractices to ensure consistent estimation of IT security costs for its major IT\ninvestments. According to the Operating Administrations, they estimate security\nfunding needs only through historical cost data. Yet they were unable to show\nhow such historical data support their security cost estimate figures.\n\nFurther, in a matter related to the adequacy of security cost estimation but not part\nof the KPMG review, we found that Operating Administrations did not request\nadequate funding to correct security deficiencies. As disclosed in our annual\ninformation security audit, the Operating Administrations had not estimated the\ncosts for remediating more than half (2,493 out of 4,286) of the security\n\x0c                                                                                                 6\n\n\n\ndeficiencies found in departmental information systems. 7 In addition, security\ncost estimates varied significantly among the Operating Administrations\xe2\x80\x94ranging\nfrom less than 1 percent to 23 percent of their IT budget requests. In our opinion,\nsuch a disparity signals inconsistent and potentially unreliable estimation practices\nin the Department (see Table 2). Accordingly, the Department has no assurance\nthat the security cost estimates included in the budget submission are adequate to\nprotect its information systems.\n\n\n                      Table 2. FY 2009 Budget Requests for IT\n                              and IT Security Spending\n\n                                                       Estimated IT\n                                         Total IT        Security          % of IT\n                  Operating              Budget            Costs           Security\n                  Administrationa     (in millions)    (in millions)        Costs\n                  FAA                     $2,518.21          $40.14           1.59%\n                  FHWA                         18.59             1.19         6.42%\n                  FMCSA                        26.41             1.29         4.89%\n                  FRA                          15.19             1.20         7.90%\n                  FTA                          12.57             0.37         2.97%\n                  MARAD                         4.09             0.03         0.80%\n                  NHTSA                        20.79             1.49         7.18%\n                  OSTb                       342.97            80.20         23.38%\n                  PHMSA                         8.74             0.35         4.04%\n                  RITA                         12.97             0.36         2.80%\n                    Total                 $2,980.53         $126.62           4.25%\n              a\n                  For full names of Operating Administrations, see Table 2 in Appendix A.\n              b\n                  Security estimates for OST comprise departmentwide operations such as the\n                  Cyber Security Management Center.\n.             Source: OIG analysis based on DOT\xe2\x80\x99s Exhibit 53, Agency IT Investment Portfolio,\n              submission to OMB.\n\n\n\nRECOMMENDATIONS\n\nOn page 41 in Appendix A, KPMG made a series of recommendations to DOT\nmanagement for improving EVMS processes/practices and security cost\nestimation. We agree with KPMG\xe2\x80\x99s recommendations and have summarized them\nbelow (Recommendations 1 and 3).         We also supplemented KPMG\xe2\x80\x99s\nrecommendations to ensure that deficiencies identified during the audit are\ncorrected (Recommendation 2).\n\n7\n    Audit of DOT Information Security Program, OIG Report Number FI-2009-003, October 8, 2008.\n\x0c                                                                               7\n\n\n\n\nBased on KPMG\xe2\x80\x99s findings, we recommend that the departmental Acting Chief\nInformation Officer:\n\n1. Establish a target date to complete and distribute the DOT EVM\n   implementation guidance to Operating Administrations. This guidance should\n   document processes and practices consistent with guidelines published by\n   OMB and address the detailed recommendations included in KPMG\xe2\x80\x99s report in\n   Appendix A.\n\n2. Require Operating Administrations to review all major IT investments in the\n   development phase for compliance with key OMB requirements for EVM\n   implementation and report results to the CIO office. Ensure that Operating\n   Administrations establish a target date for correcting deficiencies found.\n\n3. Establish security cost estimation standards consistent with the National\n   Institute of Standards and Technology, require Operating Administrations to\n   follow the standards, and verify compliance with the standards by performing a\n   sample review of Operating Administrations\xe2\x80\x99 security cost estimate\n   submissions.\n\n\nAGENCY COMMENTS AND OFFICE OF INSPECTOR GENERAL\nRESPONSE\nWe provided a draft of this report to the Acting DOT Chief Information Officer\nfor comment on March 25, 2009, and received her response on April 10. She\nconcurred with all of our recommendations, and stated that her office is in the\nprocess of developing new policy and guidance to ensure full compliance with\nearned value management as directed by the Office of Management and Budget.\nThis includes implementation of standards for security estimation techniques\nacross the Department. The response can be found in its entirety in Appendix B.\n\nIn general, management actions\xe2\x80\x94begun and planned\xe2\x80\x94adequately address the\nintent of our recommendations. The Acting DOT Chief Information Officer\xe2\x80\x99s\nresponses to our recommendations are summarized below:\n\nRecommendation 1:         Concurred. The Acting Chief Information Officer stated\nthat a new DOT earned value management policy and associated guidelines will\nbe issued by September 30, 2009. The new guidelines will include standards,\nprocesses, templates, and techniques for implementation and use of EVM\nconsistent with Office of Management and Budget requirements.\n\x0c                                                                                8\n\n\n\nRecommendation 2:        Concurred. The Acting Chief Information Officer stated\nthat each Operating Administration has a plan of action and milestones established\nfor EVM implementation, and is required to report to the CIO all progress toward\nmeeting the Department\xe2\x80\x99s goal of full compliance by December 31, 2009.\nAdditionally, the Acting Chief Information Officer is in the process of enhancing\nprogram management review tools to provide a complete picture of the health of\ninvestment projects for decision-making. EVM measures submitted by Operating\nAdministrations will be included for the health evaluation.\n\nRecommendation 3:        Concurred. The Acting Chief Information Officer stated\nthat by June 30, 2009, new guidance to standardize security cost estimating\ntechniques in accordance with the National Institute of Standards and Technology\napproach will be disseminated Departmentwide. In addition, by August 30, 2009,\nthe Office of the Chief Information Officer will conduct sample reviews to verify\nthat the departmental security cost estimating guidelines are used by Operating\nAdministrations in preparing Exhibit 300 budget submissions for FY 2011.\n\nACTIONS REQUIRED\nManagement actions taken and planned are responsive to our recommendations,\nand are considered resolved subject to follow-up provisions in DOT Order\n8000.1C.\n\nWe appreciate the courtesies and cooperation of representatives from the\ndepartmental Chief Information Officer\xe2\x80\x99s office, the Operating Administrations,\nand KPMG during this audit. If you have any questions concerning this report,\nplease call me at (202) 366-1407 or Michael Marshlick, Project Manager, at\n(202) 366-1476.\n\n                                          #\n\ncc:   Martin Gertel, M-1\n      CIO Council Members\n\x0c                                                               9\n\n\n\nAPPENDIX A. KPMG LLP REPORT                     FINAL REPORT\n\n\n\n\nDepartment of Transportation\nEarned Value Management and Security Cost\nReporting Performance Audit\n\n\n\n\nPrepared for: DOT Office of Inspector General\n\nAs of Date: July 31, 2008\n\n\n\n\nPrepared By:\nKPMG LLP\n2001 M Street NW\nWashington DC 20036\n\n\n\n\nAppendix A. KPMG LLP Report\n\x0c                                                                                                                                                     10\n                                                         Table of Contents\n                                                         FINAL REPORT\n\nREPORT\n\nEXECUTIVE SUMMARY .......................................................................................................................... 2\nI. BACKGROUND .................................................................................................................................. 4\nII. OBJECTIVE, SCOPE, AND METHODOLOGY ................................................................................ 6\nIII. RESULTS ............................................................................................................................................. 9\nIV. FINDINGS and RECOMMENDATIONS.......................................................................................... 26\nV. MANAGEMENT RESPONSE TO REPORT .................................................................................... 33\n\n\n\n\nAppendix A. KPMG LLP Report\n\x0c                                                                                                     11\n\n                          KPMG LLP\n                          2001 M Street, NW                                           FINAL REPORT\n                          Washington, DC 20036\n\n\n\nEXECUTIVE SUMMARY\n\nFebruary 13, 2009\n\nOFFICE OF INSPECTOR GENERAL\nU.S. DEPARTMENT OF TRANSPORTATION\n1200 NEW JERSEY AVENUE, SE\nWASHINGTON, D.C. 20590\n\n\nKPMG LLP (KPMG) was contracted by the Department of Transportation (DOT) Office of Inspector\nGeneral (OIG) under Contract No. DT0S59-06-A-00031, Order No. 2007-Z-0003 to conduct a\nperformance audit of the department\xe2\x80\x99s adoption and use of Earned Value Management Systems (EVMS)\nacross the Departmental Operating Administrations (OAs), (i.e., modes), and specifically for certain\nInformation Technology (IT) investments. This performance audit report presents the results of our work\nconducted to address the performance audit objectives relative to the DOT. Our work was performed\nduring the period of March 3, 2008 to July 31, 2008, and our results are as of July 31, 2008.\n\nWe conducted this performance audit in accordance with generally accepted government auditing\nstandards (GAGAS). Those standards require that we plan and perform the audit to obtain sufficient,\nappropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit\nobjectives. We believe that the evidence obtained provides a reasonable basis for our findings and\nrecommendations based on our audit objectives.\n\nThe audit objectives of the notification dated February 19, 2008 related to project number 07F3017F000\nare to determine whether (1) the EVMS measures included in the Exhibit 300 submissions properly\nreflect project performance, (2) security costs included in the Exhibit 300 submissions are supported, and\n(3) OA management actively monitors its major IT investments to meet departmental requirements. We\nwere tasked to review DOT\xe2\x80\x99s EVMS capability to assess how mature the Department is in EVMS as it\nrelates to guidelines referenced in legislation, policy, and standards pertaining to EVMS. The results of\nthis performance audit address objectives (1) and (2) referenced above. The Office of Inspector General\n(OIG) is addressing objective (3) and EVMS data being used for program oversight and control in a\nseparate report.\n\nThe DOT has established an EVMS policy that contains pre-established dollar thresholds and guidance\nfor IT investment owners to consider when implementing EVMS. In addition, various modes have\nimproved their use of EVMS by establishing supporting materials, such as IT project management and\nEVMS implementation guidance, providing EVMS training and conducting EVMS lessons learned.\nWhile these items help provide a foundation of EVMS guidance for modes to follow and investments to\nuse, there are opportunities for improvement to further implement and use EVMS to help manage major\nIT investments.\n\nOverall, based on the interviews conducted, documents inspected, and test procedures performed within\nthe audit program guide, we determined that the DOT has inconsistently applied controls across the ten\n(10) departmental modes and seven (7) IT investments. As a result, the EVMS-related processes used to\ncollect and report EVMS data cannot be relied on to properly reflect project performance in Exhibit 300\n\n\n\nAppendix A. KPMG LLP Report                                                                     Page      2\n\x0c                                                                                                        12\n\n\n\n                                                                                         FINAL REPORT\n\nsubmissions. In addition, we found that project management practices related to EVMS are not\nconsistently applied across the OAs and major IT investments. Finally, the security cost estimates that are\nderived for Exhibit 300 submissions cannot be fully supported. Timely implementation of the\nrecommendations is needed to fulfill departmental requirements and achieve maturity in managing IT\ninvestments.\n\nWe currently report, for the DOT\xe2\x80\x99s consideration, three recommendations from this performance audit.\nThese recommendations include 1) Controls over the reliability of EVMS data should be strengthened, 2)\nControls over the reasonableness of security cost estimates should be strengthened, and 3) Controls over\nthe implementation and use of EVMS in project oversight should be strengthened. EVMS provides\norganizations with the methodology needed to integrate the management of project scope, schedule, and\ncost. Implementation of these recommendations should enable DOT to improve reliability of data needed\nto oversee IT projects and make investment decisions. The detailed objectives of this performance audit\nare enumerated within Section II. Findings and Recommendations are enumerated within Section IV.\n\nThis performance audit did not constitute an audit of financial statements in accordance with Government\nAuditing Standards. KPMG was not engaged to, and did not render an opinion on the DOT\xe2\x80\x99s internal\ncontrols over financial reporting or over financial management systems (for purposes of OMB\xe2\x80\x99s Circular\nNo. A-127, Financial Management Systems, July 23, 1993, as revised). KPMG cautions that projecting\nthe results of our evaluation to future periods is subject to the risks that controls may become inadequate\nbecause of changes in conditions or because compliance with controls may deteriorate.\n\nSincerely,\n\n\n\n\nAppendix A. KPMG LLP Report                                                                      Page    3\n\x0c                                                                                                       13\n\n\nI. BACKGROUND                                                                           FINAL REPORT\n\n\nThe Department of Transportation (DOT) mission is to serve the United States by ensuring a fast, safe,\nefficient, accessible and convenient transportation system that meets our vital national interests and\nenhances the quality of life of the American people, today and into the future. 1 .DOT invested\napproximately $2.7 billion annually in information technology (IT). In order to derive the intended\nbenefits of the programs and projects within the IT portfolio, project planning and execution processes\nshould be in place to control the establishment of baseline performance measures and manage deviations\nfrom expected performance plans. Earned Value Management (EVM) data is a critical component of the\ncontrol phase of the IT capital planning process, because it provides investment managers with the cost,\nschedule, and performance data necessary to help ensure that DOT investments are delivered on time and\nperform within budget and scope. The addition of the variance and trend analysis aspect of EVM permits\nan evaluation that monitors deviation from the baseline plan, which may indicate potential threats or\nopportunities. Proper application of EVM also increases the level of confidence of management that the\ninvestment is being managed in accordance with sound project management practices and is consistent\nwith DOT goals and objectives.\n\nThe Office of the Secretary of Transportation (OST) is responsible for establishing the requisite policies\nand procedures to govern the DOT modes within the department for managing investments within the IT\nportfolio, including policies and procedures related to IT capital planning and investment control (CPIC),\nprogram management and project management. These policies and procedures should reflect Office of\nManagement and Budget (OMB) guidance, including provisions for using EVM and estimating IT\nsecurity costs for investments. In addition, the Operation Administrations (or modes) within DOT are\nresponsible for implementing the policies and procedures promulgated by OST in a manner consistent\nwith both the underlying objectives. Table 2 contains a listing of the key legislation, policies, and\nstandards pertaining to EVMS and IT investment and project management.\n\n\n\n\n1\n    www.dot.gov\nAppendix A. KPMG LLP Report                                                                     Page    4\n\x0c                                                                                                                     14\n\n                                                                                                   FINAL REPORT\n\n                                                  Table 1: EVMS Legislation, Policies and Standards\n    Criteria\xc2\xa0                                                 Description\xc2\xa0\n   Legislation\xc2\xa0   \xef\x83\x98    Government\xc2\xa0Performance\xc2\xa0and\xc2\xa0Results\xc2\xa0Act\xc2\xa0of\xc2\xa01993\xc2\xa0\xe2\x80\x93\xc2\xa0mandates\xc2\xa0the\xc2\xa0use\xc2\xa0of\xc2\xa0performance\xc2\xa0\n                       metrics.\xc2\xa0\n                  \xef\x83\x98    Federal\xc2\xa0 Acquisition\xc2\xa0 Streamlining\xc2\xa0 Act\xc2\xa0 of\xc2\xa0 1994\xc2\xa0 \xe2\x80\x93\xc2\xa0 requires\xc2\xa0 agency\xc2\xa0 heads\xc2\xa0 to\xc2\xa0 achieve,\xc2\xa0 on\xc2\xa0\n                       average,\xc2\xa0 90%\xc2\xa0 of\xc2\xa0 the\xc2\xa0 cost\xc2\xa0 and\xc2\xa0 schedule\xc2\xa0 goals\xc2\xa0 established\xc2\xa0 for\xc2\xa0 major\xc2\xa0 and\xc2\xa0 non\xe2\x80\x90major\xc2\xa0\n                       acquisition\xc2\xa0programs\xc2\xa0of\xc2\xa0the\xc2\xa0agency\xc2\xa0without\xc2\xa0reducing\xc2\xa0the\xc2\xa0performance\xc2\xa0or\xc2\xa0capabilities\xc2\xa0of\xc2\xa0\n                       the\xc2\xa0items\xc2\xa0being\xc2\xa0acquired.\xc2\xa0\n                  \xef\x83\x98    Clinger\xc2\xa0 Cohen\xc2\xa0 Act\xc2\xa0 of\xc2\xa0 1996\xc2\xa0 \xe2\x80\x93\xc2\xa0 requires\xc2\xa0 establishment\xc2\xa0 of\xc2\xa0 the\xc2\xa0 processes\xc2\xa0 for\xc2\xa0 executive\xc2\xa0\n                       agencies\xc2\xa0to\xc2\xa0analyze,\xc2\xa0track,\xc2\xa0and\xc2\xa0evaluate\xc2\xa0the\xc2\xa0risks\xc2\xa0and\xc2\xa0results\xc2\xa0of\xc2\xa0major\xc2\xa0investments\xc2\xa0in\xc2\xa0IT\xc2\xa0\n                       and\xc2\xa0requires\xc2\xa0reporting\xc2\xa0on\xc2\xa0the\xc2\xa0net\xc2\xa0program\xc2\xa0performance\xc2\xa0benefits\xc2\xa0achieved\xc2\xa0by\xc2\xa0agencies.\xc2\xa0\n    Policies\xc2\xa0     \xef\x83\x98    Office\xc2\xa0 of\xc2\xa0 Management\xc2\xa0 and\xc2\xa0 Budget\xc2\xa0 (OMB)\xc2\xa0 Circular\xc2\xa0 A\xe2\x80\x9011\xc2\xa0 (Part\xc2\xa0 7,\xc2\xa0 Planning,\xc2\xa0 Budgeting,\xc2\xa0\n                       Acquisition\xc2\xa0 and\xc2\xa0 Management\xc2\xa0 of\xc2\xa0 Capital\xc2\xa0 Assets)\xc2\xa0 \xe2\x80\x93\xc2\xa0 outlines\xc2\xa0 a\xc2\xa0 systematic\xc2\xa0 process\xc2\xa0 for\xc2\xa0\n                       program\xc2\xa0 management,\xc2\xa0 which\xc2\xa0 includes\xc2\xa0 integration\xc2\xa0 of\xc2\xa0 program\xc2\xa0 scope,\xc2\xa0 schedule,\xc2\xa0 and\xc2\xa0\n                       cost\xc2\xa0objective;\xc2\xa0requires\xc2\xa0use\xc2\xa0of\xc2\xa0earned\xc2\xa0value\xc2\xa0techniques\xc2\xa0for\xc2\xa0performance\xc2\xa0measurement\xc2\xa0\n                       during\xc2\xa0execution\xc2\xa0of\xc2\xa0the\xc2\xa0program;\xc2\xa0specifically\xc2\xa0identifies\xc2\xa0ANSI/EIA\xc2\xa0Standard\xc2\xa0748.\xc2\xa0\n                  \xef\x83\x98    OMB\xc2\xa0 Memorandum\xc2\xa0 M\xe2\x80\x9004\xe2\x80\x9024,\xc2\xa0 \xe2\x80\x9cExpanding\xc2\xa0 Electronic\xc2\xa0 Government\xc2\xa0 (E\xe2\x80\x90Gov)\xc2\xa0 President\xe2\x80\x99s\xc2\xa0\n                       Management\xc2\xa0Agenda\xc2\xa0(PMA)\xc2\xa0Scorecard\xc2\xa0Cost,\xc2\xa0Schedule\xc2\xa0and\xc2\xa0Performance\xc2\xa0Standards\xc2\xa0for\xc2\xa0\n                       Success\xe2\x80\x9d\xc2\xa0 \xe2\x80\x93\xc2\xa0 provides\xc2\xa0 additional\xc2\xa0 information\xc2\xa0 on\xc2\xa0 the\xc2\xa0 President\xe2\x80\x99s\xc2\xa0 Management\xc2\xa0 Agenda\xc2\xa0\n                       Expanded\xc2\xa0 Electronic\xc2\xa0 Government\xc2\xa0 initiative\xc2\xa0 and\xc2\xa0 the\xc2\xa0 standard\xc2\xa0 for\xc2\xa0 success\xc2\xa0 concerning\xc2\xa0\n                       cost,\xc2\xa0schedule\xc2\xa0and\xc2\xa0performance\xc2\xa0goals.\xc2\xa0\n                  \xef\x83\x98    OMB\xc2\xa0Memorandum\xc2\xa0M\xe2\x80\x9005\xe2\x80\x9023,\xc2\xa0\xe2\x80\x9cImproving\xc2\xa0Information\xc2\xa0Technology\xc2\xa0(IT)\xc2\xa0Project\xc2\xa0Planning\xc2\xa0\n                       and\xc2\xa0 Execution\xe2\x80\x9d\xc2\xa0 \xe2\x80\x93\xc2\xa0 provides\xc2\xa0 guidance\xc2\xa0 to\xc2\xa0 assist\xc2\xa0 agencies\xc2\xa0 in\xc2\xa0 monitoring\xc2\xa0 and\xc2\xa0 improving\xc2\xa0\n                       project\xc2\xa0planning\xc2\xa0and\xc2\xa0execution\xc2\xa0and\xc2\xa0fully\xc2\xa0implementing\xc2\xa0EVMS\xc2\xa0for\xc2\xa0major\xc2\xa0IT\xc2\xa0projects.\xc2\xa0\n   Standards\xc2\xa0     1.   ANSI/EIA\xc2\xa0 Earned\xc2\xa0 Value\xc2\xa0 Management\xc2\xa0 System\xc2\xa0 (EVMS)\xc2\xa0 Standard\xc2\xa0 748\xc2\xa0 \xe2\x80\x93\xc2\xa0 industry\xc2\xa0 process\xc2\xa0\n                       for\xc2\xa0use\xc2\xa0of\xc2\xa0EVMS\xc2\xa0including\xc2\xa0integration\xc2\xa0of\xc2\xa0program\xc2\xa0scope,\xc2\xa0schedule\xc2\xa0and\xc2\xa0cost\xc2\xa0objectives,\xc2\xa0\n                       establishment\xc2\xa0of\xc2\xa0a\xc2\xa0baseline\xc2\xa0plan\xc2\xa0for\xc2\xa0accomplishment\xc2\xa0of\xc2\xa0program\xc2\xa0objectives,\xc2\xa0and\xc2\xa0use\xc2\xa0of\xc2\xa0\n                       earned\xc2\xa0 value\xc2\xa0 techniques\xc2\xa0 for\xc2\xa0 performance\xc2\xa0 measurement\xc2\xa0 during\xc2\xa0 the\xc2\xa0 execution\xc2\xa0 of\xc2\xa0 a\xc2\xa0\n                       program.\xc2\xa0\n                  2.   Project\xc2\xa0 Management\xc2\xa0 Institute\xc2\xa0 (PMI)\xc2\xa0 Standard\xc2\xa0 for\xc2\xa0 Earned\xc2\xa0 Value\xc2\xa0 Management\xc2\xa0 \xe2\x80\x93\xc2\xa0\n                       developed\xc2\xa0as\xc2\xa0a\xc2\xa0supplement\xc2\xa0to\xc2\xa0\xe2\x80\x9cA\xc2\xa0Guide\xc2\xa0to\xc2\xa0the\xc2\xa0Project\xc2\xa0Management\xc2\xa0Body\xc2\xa0of\xc2\xa0Knowledge\xc2\xa0\n                       (PMBOK\xc2\xa0Guide).\xe2\x80\x9d\xc2\xa0\xc2\xa0The\xc2\xa0Practice\xc2\xa0Standard\xc2\xa0for\xc2\xa0EVM\xc2\xa0is\xc2\xa0designed\xc2\xa0to\xc2\xa0provide\xc2\xa0a\xc2\xa0fundamental\xc2\xa0\n                       understanding\xc2\xa0 of\xc2\xa0 the\xc2\xa0 principles\xc2\xa0 of\xc2\xa0 EVM\xc2\xa0 and\xc2\xa0 its\xc2\xa0 role\xc2\xa0 in\xc2\xa0 facilitating\xc2\xa0 effective\xc2\xa0 project\xc2\xa0\n                       management.\xc2\xa0\n\n\n\n\nAppendix A. KPMG LLP Report                                                                                 Page      5\n\x0c                                                                                                              15\n\n\n\nII.     OBJECTIVE, SCOPE, AND METHODOLOGY                                                    FINAL REPORT\n\n\nKPMG LLP (KPMG) was contracted by the Department of Transportation (DOT) Office of Inspector\nGeneral (OIG) under Contract No. DT0S59-06-A-00031, Order No. 2007-Z-0003 to conduct a\nperformance audit of the department\xe2\x80\x99s adoption and use of Earned Value Management Systems (EVMS)\nacross the departmental Operating Administrating (OAs), (i.e., modes), and specifically for certain\nInformation Technology (IT) investments.\n\nObjectives\n\nThe audit objectives of the notification dated February 19, 2008 related to project number 07F3017F000\nare to determine whether (1) the EVM measures included in the Exhibit 300 submissions properly reflect\nproject performance, (2) security costs included in the Exhibit 300 submissions are supported, and (3) OA\nmanagement actively monitors its major IT investments to meet departmental requirements. We were\ntasked to review DOT\xe2\x80\x99s EVMS capability to assess how mature the Department is in EVMS as it relates\nto guidelines referenced in legislation, policy, and standards pertaining to EVM. The results of this\nperformance audit address objective\xe2\x80\x99s (1) and (2) referenced above. The OIG has addressed objective (3)\nand EVM data being used for program oversight and control in a separate report.\n\nScope\n\nThe performance audit procedures were designed to evaluate the implementation of EVM and security\ncost estimating and reporting practices over ten OAs and seven major 2 IT investments selected by the\nOIG summarized in Table 2 and 3 below.\n\n                            Table 2: Scope of EVM and Security Cost Reporting Analysis by Mode\n                            Modes\xc2\xa0                                    Earned\xc2\xa0Value\xc2\xa0          Security\xc2\xa0Cost\xc2\xa0\n                                                                      Management\xc2\xa0\xc2\xa0            Reporting\xc2\xa0\xc2\xa0\n                                                                          (Y/N)\xc2\xa0                (Y/N)\xc2\xa0\nFederal\xc2\xa0Aviation\xc2\xa0Administration\xc2\xa0(FAA)\xc2\xa0                                      Y\xc2\xa0                     Y\xc2\xa0\nOffice\xc2\xa0of\xc2\xa0the\xc2\xa0Secretary\xc2\xa0of\xc2\xa0Transportation\xc2\xa0(OST)\xc2\xa0                            Y\xc2\xa0                     Y\xc2\xa0\nFederal\xc2\xa0Highway\xc2\xa0Administration\xc2\xa0(FHWA)\xc2\xa0                                      Y\xc2\xa0                     Y\xc2\xa0\nFederal\xc2\xa0Motor\xc2\xa0Carrier\xc2\xa0Safety\xc2\xa0Administration\xc2\xa0(FMCSA)\xc2\xa0                        Y\xc2\xa0                     Y\xc2\xa0\nNational\xc2\xa0Highway\xc2\xa0Traffic\xc2\xa0Safety\xc2\xa0Administration\xc2\xa0(NHTSA)\xc2\xa0                     Y\xc2\xa0                     Y\xc2\xa0\nFederal\xc2\xa0Transit\xc2\xa0Administration\xc2\xa0(FTA)\xc2\xa0                                       Y\xc2\xa0                     Y\xc2\xa0\nMaritime\xc2\xa0Administration\xc2\xa0(MARAD)\xc2\xa0                                            Y\xc2\xa0                     Y\xc2\xa0\nFederal\xc2\xa0Railroad\xc2\xa0Administration\xc2\xa0(FRA)\xc2\xa0                                      Y\xc2\xa0                     Y\xc2\xa0\nResearch\xc2\xa0and\xc2\xa0Innovative\xc2\xa0Technology\xc2\xa0Administration\xc2\xa0(RITA)\xc2\xa0                   Y\xc2\xa0                     Y\xc2\xa0\nPipeline\xc2\xa0and\xc2\xa0Hazardous\xc2\xa0Materials\xc2\xa0Safety\xc2\xa0Administration\xc2\xa0(PHMSA)\xc2\xa0             Y\xc2\xa0                     Y\xc2\xa0\nSurface\xc2\xa0Transportation\xc2\xa0Board\xc2\xa0(STB) 3\xc2\xa0                                       N\xc2\xa0                    N\xc2\xa0\nSaint\xc2\xa0Lawrence\xc2\xa0Seaway\xc2\xa0Development\xc2\xa0Corporation\xc2\xa0(SLSDC)3\xc2\xa0                     N\xc2\xa0                    N\xc2\xa0\n\n\n\n\n2\n \xe2\x80\x9cMajor\xe2\x80\x9d investment refers to an IT investment requiring an OMB Exhibit 300 business case.\n3\n During our analysis, OA management informed us that they do not have any major IT investments nor have they\nimplemented any EVMS over their IT portfolio. Therefore, the OIG determined to exclude these modes from the\nscope of this performance audit.\nAppendix A. KPMG LLP Report                                                                         Page       6\n\x0c                                                                                                                            16\n\n\n                                                                                                         FINAL REPORT\n\n           Table 3: Scope of EVM and Security Cost Reporting Analysis for Major Investments\n                                Major\xc2\xa0Investments\xc2\xa0                                         Earned\xc2\xa0Value\xc2\xa0        Security\xc2\xa0Cost\xc2\xa0\n                                                                                           Management\xc2\xa0           Reporting\xc2\xa0\n                                                                                               (Y/N)\xc2\xa0              (Y/N)\xc2\xa0\nFAA:\xc2\xa0Terminal\xc2\xa0Automation\xc2\xa0Modernization\xc2\xa0and\xc2\xa0Replacement\xc2\xa0(TAMR)\xc2\xa0                                   Y                    Y\nFAA:\xc2\xa0Automated\xc2\xa0Surface\xc2\xa0Observing\xc2\xa0System/Automated\xc2\xa0Weather\xc2\xa0Observing\xc2\xa0                             Y                    Y\nSystem\xc2\xa0(ASOS\xc2\xa0&\xc2\xa0AWOS)\xc2\xa0\nFAA:\xc2\xa0Automated\xc2\xa0Traffic\xc2\xa0Management/Traffic\xc2\xa0Flow\xc2\xa0Management\xc2\xa0(ATM/TFM)\xc2\xa0                              Y                    Y\nFAA:\xc2\xa0Advanced\xc2\xa0Technologies\xc2\xa0and\xc2\xa0Oceanic\xc2\xa0Procedures\xc2\xa0(ATOP)\xc2\xa0                                         Y                    Y\nPHMSA:\xc2\xa0Safety\xc2\xa0Monitoring\xc2\xa0and\xc2\xa0Analysis\xc2\xa0Reporting\xc2\xa0Tool\xc2\xa0(SMART)\xc2\xa0                                     Y                    Y\nFMCSA:\xc2\xa0Federal\xc2\xa0Motor\xc2\xa0Carrier\xc2\xa0Safety\xc2\xa0Administration\xc2\xa0(FMCSA)\xc2\xa0Modernization\xc2\xa0                         Y                    Y\nOST:\xc2\xa0IT\xc2\xa0Combined\xc2\xa0Infrastructure\xc2\xa0                                                                  N\xc2\xa0                   Y\xc2\xa0\n\nWe designed the procedures to gain an understanding of how each mode and IT investment in scope has\ninstituted practices related to EVM and security cost reporting, divided into the following sections:\n\n\xef\x83\x98 EVM Governance: Includes the policies and supporting guidance (i.e., project and program\n  management) available to implement and use EVM.\n\n\xef\x83\x98 EVM Tools & Technology: Includes the EVM tools and related technologies used for IT projects\n  (i.e., EVM-related tools, EVM engines, cost accounting tools, scheduling and resource management\n  tools and technology integration).\n\n\xef\x83\x98 EVM Implementation & Performance: Includes EVM supporting standards and practices (e.g.,\n  work breakdown structure and use, contract and scope management, resource planning and\n  management, and EVM analysis techniques), EVMS certification 4 , EVMS surveillance 5 , EVM\n  training, and EVM lessons learned.\n\n\xef\x83\x98 Security Cost Governance: Includes the policies and procedures in place for security cost analysis\n  and estimation.\n\n\xef\x83\x98 Security Cost Estimating, Analysis and Reporting: Includes the practices used in analyzing,\n  estimating, and reporting security costs.\n\nOur fieldwork was performed during the period of March 3, 2008 to July 31, 2008 and our results are as\nof July 31, 2008 at Washington, D.C. headquarters and Federal Aviation Administration (FAA) locations.\n\n\nMethodology\n\nWe performed this performance audit in accordance with the Government Auditing Standards issued by\nthe Government Accountability Office (GAO). In particular, we designed our procedures to conform to a\nperformance audit defined by the Government Auditing Standards. We performed our engagement in\nthree phases: (1) planning, (2) testing and interviewing, and (3) report writing.\n\n\n\n4\n  EVMS certification refers to the process by which the EVMS is evaluated to verify that it meets the full intentions of the\nguidelines presented in the ANSI EIA-748 standard. Source: www.ndia.org\n5\n  EVMS surveillance refers to the process of reviewing the health of the EVMS as it is applied to one or more programs. Source:\nwww.ndia.org\nAppendix A. KPMG LLP Report                                                                                         Page      7\n\x0c                                                                                                17\n\n                                                                                 FINAL REPORT\n\nThe planning phase was designed to help ensure that team members developed a collective\nunderstanding of the EVM and security cost reporting practices in place for the ten OAs and the\nseven major investments. We provided separate questionnaires to each mode and to each\ninvestment program team. The questionnaires were designed to provide a foundational\nunderstanding for conducting interviews and for identifying additional documentation requests.\n\nDuring the testing and interviewing phase, we conducted interviews, collected and inspected\nprovided artifacts, participated in process walk-throughs, and designed and performed test\nprocedures. We conducted these test procedures primarily at DOT headquarters and FAA\nfacilities in Washington D.C. Testing procedures over the EVM and security cost reporting\npractices were based on the Federal legislation, policies and industry standards.\n\nWhen our test procedures required us to select a sample of items from a population for testing,\nwe used a judgmental sample selection methodology. Accordingly, our recommendations are\napplicable to the sample we tested and were not extrapolated to the population (i.e., all OAs and\nall major investments).\n\nThe report writing phase entailed writing a draft report, conducting an exit conference, providing\na formal draft report to OIG for review, and preparing and issuing the final report.\n\n\n\n\nAppendix A. KPMG LLP Report                                                              Page    8\n\x0c                                                                                                        18\n\n\n\n                                                                                         FINAL REPORT\n\n\nIII.       RESULTS\n\nFeedback is critical to the success of any project. Timely and targeted feedback can enable project\nmanagers to identify problems early and make adjustments that can keep a project on time and on budget.\nIn addition, early identification of cost and schedule variance information is needed by agency executives\nto monitor and control risks within its investment portfolio. Earned Value Management (EVM) has\nproven to be one of the most effective performance measurement and feedback tools for managing\nprojects. EVM provides organizations with the methodology needed to integrate the management of\nproject scope, schedule, and cost. 6\n\nCost data on security spending is necessary to help ensure IT investments have adequately identified and\nbudgeted for security in a federal IT investment.\n\nIn the following section of the report, we provide the results of our performance audit across the\nfollowing sections: Earned Value Management (EVM) Governance; EVM Tools & Technology; EVM\nImplementation & Performance. In addition, we provide the results of our performance audit within the\nsections Security Cost Governance and Security Cost Estimating, Analysis and Reporting.\n\nEVM Governance\n\nEVM Governance consists of the policies, procedures and practices in place to establish requirements for\nEVM implementation and performance management within project and program management practices.\nThe Office of the Secretary of Transportation (OST) is responsible for providing this guidance to the\noperational administrations (OAs), (i.e., modes), with the exception of the Federal Aviation\nAdministration (FAA), discussed further below. The FAA has created its own policy and guidance for\nEVM.\n\nOST EVM Policy\nThe Department of Transportation (DOT) EVM Policy was made effective on January 14, 2008. This\nversion of the policy (i.e., first phase of implementation) is to be exclusively applied to IT projects and\nprograms and only to work performed under contract. Management represents that future policy updates\nwill broaden the scope to include all DOT programs and work performed by both federal employees as\nwell as contractors.\n\n\n\n\n6\n    Project Management Institute (PMI) Standard for Earned Value Management, 2005.\nAppendix A. KPMG LLP Report                                                                      Page    9\n\x0c                                                                                                                                                         19\n\n\n                                                                                                                                 FINAL REPORT\n\nThe degree to which EVM is applied to IT investments will vary depending on the size and complexity of\nthe IT investment, as depicted in Table 4 below:\n\n                                                                                                Table 4: DOT EVM Requirements\n    Investment\xc2\xa0   Total\xc2\xa0Contract\xc2\xa0                                                         Description\xc2\xa0\n       Tier\xc2\xa0          Value\xc2\xa0\n      Tier\xc2\xa0I\xc2\xa0        >\xc2\xa0$20M\xc2\xa0        IT\xc2\xa0investments\xc2\xa0with\xc2\xa0total\xc2\xa0development,\xc2\xa0modernization\xc2\xa0and\xc2\xa0enhancement\xc2\xa0(DME)\xc2\xa0life\xe2\x80\x90cycle\xc2\xa0acquisition\xc2\xa0costs\xc2\xa0\n                                    equal\xc2\xa0 to\xc2\xa0 or\xc2\xa0 greater\xc2\xa0 than\xc2\xa0 $20\xc2\xa0 million\xc2\xa0 and/or\xc2\xa0 those\xc2\xa0 on\xc2\xa0 the\xc2\xa0 OMB\xc2\xa0 High\xc2\xa0 Risk\xc2\xa0 List.\xc2\xa0 \xc2\xa0 Tier\xc2\xa0 I\xc2\xa0 investments\xc2\xa0 must\xc2\xa0\n                                    implement\xc2\xa0 an\xc2\xa0 EVMS\xc2\xa0 that\xc2\xa0 fully\xc2\xa0 complies\xc2\xa0 with\xc2\xa0 American\xc2\xa0 National\xc2\xa0 Standard\xc2\xa0 ANSI/EIA\xc2\xa0 Standard\xc2\xa0 748\xc2\xa0 EVMS\xc2\xa0\n                                    Guidelines.\xc2\xa0\n      Tier\xc2\xa0II\xc2\xa0        >\xc2\xa0$3M\xc2\xa0        IT\xc2\xa0Investments\xc2\xa0with\xc2\xa0total\xc2\xa0DME\xc2\xa0life\xe2\x80\x90cycle\xc2\xa0acquisition\xc2\xa0costs\xc2\xa0equal\xc2\xa0to\xc2\xa0or\xc2\xa0greater\xc2\xa0than\xc2\xa0$3\xc2\xa0million\xc2\xa0but\xc2\xa0less\xc2\xa0than\xc2\xa0\n                     <\xc2\xa0$20M\xc2\xa0        $20\xc2\xa0 million\xc2\xa0 (excluding\xc2\xa0 level\xc2\xa0 of\xc2\xa0 effort\xc2\xa0 tasks).\xc2\xa0 \xc2\xa0 Tier\xc2\xa0 II\xc2\xa0 investments\xc2\xa0 must\xc2\xa0 apply\xc2\xa0 EVM\xc2\xa0 principles\xc2\xa0 for\xc2\xa0 tracking\xc2\xa0\n                                    investment\xc2\xa0 cost,\xc2\xa0 schedule,\xc2\xa0 and\xc2\xa0 technical\xc2\xa0 performance\xc2\xa0 but\xc2\xa0 need\xc2\xa0 only\xc2\xa0 comply\xc2\xa0 with\xc2\xa0 a\xc2\xa0 subset\xc2\xa0 of\xc2\xa0 ANSI/EIA\xc2\xa0\n                                    Standard\xc2\xa0748\xc2\xa0Guidelines,\xc2\xa0as\xc2\xa0detailed\xc2\xa0in\xc2\xa0the\xc2\xa0DOT\xc2\xa0EVM\xc2\xa0Implementation\xc2\xa0Guide.\xc2\xa0\n      Tier\xc2\xa0III\xc2\xa0       <\xc2\xa0$3M\xc2\xa0        IT\xc2\xa0investments\xc2\xa0with\xc2\xa0total\xc2\xa0DME\xc2\xa0life\xe2\x80\x90cycle\xc2\xa0acquisition\xc2\xa0costs\xc2\xa0of\xc2\xa0less\xc2\xa0than\xc2\xa0$3\xc2\xa0million\xc2\xa0(excluding\xc2\xa0level\xc2\xa0of\xc2\xa0effort\xc2\xa0\n                                    tasks).\xc2\xa0 \xc2\xa0 Tier\xc2\xa0 III\xc2\xa0 investments\xc2\xa0 must\xc2\xa0 apply\xc2\xa0 EVM\xc2\xa0 principles\xc2\xa0 to\xc2\xa0 track\xc2\xa0 investment\xc2\xa0 cost,\xc2\xa0 schedule\xc2\xa0 and\xc2\xa0 technical\xc2\xa0\n                                    performance,\xc2\xa0but\xc2\xa0are\xc2\xa0not\xc2\xa0required\xc2\xa0to\xc2\xa0comply\xc2\xa0with\xc2\xa0the\xc2\xa0ANSI/EIA\xc2\xa0748\xc2\xa0Guidelines.\xc2\xa0\xc2\xa0The\xc2\xa0extent\xc2\xa0to\xc2\xa0which\xc2\xa0EVM\xc2\xa0\n                                    is\xc2\xa0 required\xc2\xa0 for\xc2\xa0 each\xc2\xa0 Tier\xc2\xa0 III\xc2\xa0 investment\xc2\xa0 is\xc2\xa0 determined\xc2\xa0 by\xc2\xa0 the\xc2\xa0 risk,\xc2\xa0 dollar\xc2\xa0 amount,\xc2\xa0 and\xc2\xa0 complexity\xc2\xa0 of\xc2\xa0 the\xc2\xa0\n                                    investment,\xc2\xa0as\xc2\xa0detailed\xc2\xa0in\xc2\xa0the\xc2\xa0DOT\xc2\xa0EVM\xc2\xa0Implementation\xc2\xa0Guide.\xc2\xa0\n\n\nAdditional DOT EVM policy requirements include:\n\xef\x82\xb7 EVM is to be applied to contractor work, regardless of contract type.\n\xef\x82\xb7 Where applicable, EVM requirements must be clearly indicated in the investment\xe2\x80\x99s solicitation and\n   the resulting contract. The Contracting Officer (CO) shall insert requirements provided by the\n   Program Manager (PM) or Contracting Officer\xe2\x80\x99s Technical Representative (COTR) into the contract\n   for Integrated Baseline Reviews (IBR\xe2\x80\x99s) 7 for Tier I and Tier II investments, and for Tier III\n   investments, as deemed necessary by the Contracting Officer and Program/Project Manager. The\n   Contract Data Requirements List (CDRL) must provide that EVM data for these investments be\n   submitted via the Contractor Performance Report (CPR).\n\xef\x82\xb7 EVM implementation shall be consistent with all DOT IT Governance processes and related\n   procedures.\n\xef\x82\xb7 Waivers to this policy are to be submitted by the Program Manager (PM)/CO in writing to the OA\n   CIO, prior to submission to DOT CIO for approval. Processing of waivers will be detailed in the to-\n   be released DOT EVM Implementation Guide 8 . Grant of waivers in no way implies exemption from\n   sound and rigorous management practices, or from continuous monitoring of program/project cost,\n   schedule, and technical performance.\n\nWhile the DOT policy contains these requirements, it does not address certain other EVM considerations.\nFor example, the policy does not include provisions related to assigning work elements to Federal\nemployees; does not contain provisions for training, integration with portfolio management, and the use\nof templates and tools; does not require the FAA to follow the policy even though FAA\xe2\x80\x99s EVM policy\nrequirements are more stringent and are accompanied by EVM implementation guidance; and the EVM\nimplementation guidance referenced throughout the DOT EVM policy has not yet been created nor\n\n\n7\n  An Integrated Baseline Review (IBR) refers to a government-led review that is intended to ensure the government and\ncontractor mutually understand program scope, schedule, resources, inherent risk, and management approach, and to ensure early\nand adequate planning. Source: DOT EVM Policy dated January 18, 2008.\n8\n  After fieldwork concluded, management informed us that the DOT Implementation Guide was discontinued in June 2008 in\nfavor of a more robust and detailed EVM policy. We were not informed of the discontinued effort, nor were we provided with\nthe updated EVM policy.\nAppendix A. KPMG LLP Report                                                                                                                    Page 10\n\x0c                                                                                                                             20\n\n\n                                                                                                            FINAL REPORT\n\npromulgated to assist the OAs and major investments. We have included this weakness in the Findings\nsection of this report.\n\nAdditionally, OST management has not implemented standards to support an enterprise approach for\nmanaging and applying EVM across the modes. This includes the promotion of standards for articulating\nand capturing project scope and work assignments and enforcing this through the IBR, decomposing work\nusing a standard work breakdown structures (WBS) 9 for IT development projects, managing concurrent\nefforts through an Integrated Master Schedule (IMS) 10 , guidelines for retaining rebaselining\ndocumentation, and conducting EVM training and lessons learned. We have included this weakness in\nthe Findings section of this report.\n\nFAA EVM Policy\nThe FAA has its own acquisition system known as the Acquisition Management System (AMS), which\nestablishes the FAA\xe2\x80\x99s acquisition policy. In 2005, the FAA developed its own EVMS policy and\nincorporated it into the AMS. The key requirements of the policy include:\n\n\xef\x82\xb7    Contractor EVM implementation must be consistent with the program\xe2\x80\x99s acquisition strategy. All\n     capital investment programs must use table 5 to determine the application of EVM to the DME 11\n     work assigned to contractors. The requirements apply to all contract types. On an exception basis,\n     low-risk contractor efforts, i.e., firm fixed price production, may implement EVM within a FAA\n     program office at the program level. Contractor EVM implementation must be based on an\n     assessment of the cost, schedule, and technical performance risk of each contract.\n\n                                                                         Table 5: FAA Contract EVMS Requirements\n                                                    Total\xc2\xa0Contract\xc2\xa0Value\xc2\xa0($M)\xc2\xa0                  Total\xc2\xa0Contract\xc2\xa0Value\xc2\xa0($M)\xc2\xa0\n            EVMS\xc2\xa0Requirements                                 >$10\xc2\xa0                                       <$10\xc2\xa0\n       Contract\xc2\xa0Performance\xc2\xa0Report\xc2\xa0                             R\xc2\xa0                                         O\xc2\xa0\n        Integrated\xc2\xa0Master\xc2\xa0Schedule\xc2\xa0                             R\xc2\xa0                                         O\xc2\xa0\n        Integrated\xc2\xa0Baseline\xc2\xa0Reviews\xc2\xa0                            R\xc2\xa0                                         O\xc2\xa0\n        EVMS\xc2\xa0Standard\xc2\xa0Compliance\xc2\xa0                               R\xc2\xa0                                         O\xc2\xa0\n         EVM\xc2\xa0System\xc2\xa0Certification\xc2\xa0                              R\xc2\xa0                                         O\xc2\xa0\nNotes:\xc2\xa0\nR\xc2\xa0=\xc2\xa0Required\xc2\xa0by\xc2\xa0approving\xc2\xa0authority\nO\xc2\xa0=\xc2\xa0Optional\n\n\n\xef\x82\xb7      Capital investment programs required to use an EVMS must be certified as meeting the guidelines\n       of ANSI/EIA-748. The EVM Focal Point assesses and validates EVM implementation and monitors\n       application to ensure compliance. The AIO Value Management Office certifies program EVM\n       systems. FAA contractors required to use an EVM system must be certified as meeting the\n       guidelines of ANSI/EIA-748. Contractor EVM implementation must be validated by the Contracting\n       Officer, assisted by the EVM Focal Point. The EVM Focal Point determines whether a contractor\n       requires an EVMS certification review or whether an existing certification and EVM surveillance\n\n\n9\n  A Work Breakdown Structure (WBS) is a deliverable-oriented hierarchical decomposition of the work to be executed by the\nproject team to accomplish the project objectives and create the required deliverables. Source: PMBOK Guide \xe2\x80\x93 Third Edition.\n10\n   An Integrated Master Schedule refers to a multilayered schedule showing all the detailed tasks required to accomplish the work\neffort contained with a set of projects or program(s). Source: Defense Acquisition Guidebook.\n11\n   Development, Modernization and Enhancement (DME) means the project cost for new investment, changes or modifications to\nexisting systems to improve capability or performance, changes mandated by the Congress or agency leadership, personnel costs\nfor investment management, and direct support. For major IT investments, this amount should equal the sum of amounts\nreported for planning and acquisition in the Exhibit 300. Source: DOT EVM Policy dated January 18, 2008.\nAppendix A. KPMG LLP Report                                                                                           Page 11\n\x0c                                                                                                                                               21\n\n\n                                                                                                                           FINAL REPORT\n\n       process are acceptable. The EVM Focal Point will establish agreements with other government\n       agencies to recognize contractor EVM certifications and surveillance reports.\n\n\nThe FAA has also issued an EVM Implementation Guide dated February 2006 that addresses EVM\nimplementation on FAA programs, FAA contracts, and EVM certification and surveillance. FAA\nprograms are to apply EVM methodologies to the total program effort, including both government and\ncontractor work, to better manage complex, high-risk, high-cost, or high-visibility efforts. FAA programs\nmay utilize multiple sources to accomplish the work of the program and commonly assign work to the\nfollowing performing organizations that must be included in the EVMS as depicted in Table 6:\n\n                                                                      Table 6: EVMS methodologies for organizations\n  Performing\xc2\xa0Organization\xc2\xa0                                                       EVMS\xc2\xa0consideration\xc2\xa0\n Government\xc2\xa0Organizations:\xc2\xa0   Government\xc2\xa0 organizations\xc2\xa0 and\xc2\xa0 personnel\xc2\xa0 (Full\xe2\x80\x90Time\xc2\xa0 Equivalents\xc2\xa0 \xe2\x80\x93\xc2\xa0 FTEs),\xc2\xa0 while\xc2\xa0 commonly\xc2\xa0 used\xc2\xa0 to\xc2\xa0 perform\xc2\xa0\n                              program\xc2\xa0 management\xc2\xa0 and\xc2\xa0 oversight,\xc2\xa0 may\xc2\xa0 also\xc2\xa0 perform\xc2\xa0 engineering,\xc2\xa0 testing,\xc2\xa0 deployment,\xc2\xa0 and\xc2\xa0 logistics\xc2\xa0\n                              support\xc2\xa0functions.\xc2\xa0\xc2\xa0All\xc2\xa0work\xc2\xa0and\xc2\xa0program\xc2\xa0activities\xc2\xa0performed\xc2\xa0by\xc2\xa0government\xc2\xa0personnel\xc2\xa0 are\xc2\xa0assigned\xc2\xa0using\xc2\xa0\n                              the\xc2\xa0program\xc2\xa0baseline\xc2\xa0work\xc2\xa0breakdown\xc2\xa0structure\xc2\xa0(WBS)\xc2\xa0and\xc2\xa0are\xc2\xa0managed\xc2\xa0using\xc2\xa0EVM.\xc2\xa0\xc2\xa0FAA\xc2\xa0programs\xc2\xa0required\xc2\xa0\n                              to\xc2\xa0 use\xc2\xa0 EVM\xc2\xa0 must\xc2\xa0 include\xc2\xa0 resources\xc2\xa0 for\xc2\xa0 all\xc2\xa0 government\xc2\xa0 DME\xc2\xa0 effort\xc2\xa0 included\xc2\xa0 in\xc2\xa0 the\xc2\xa0 JRC\xe2\x80\x90approved\xc2\xa0 program\xc2\xa0\n                              baseline.\xc2\xa0\n     Major\xc2\xa0Contractors\xc2\xa0       Major\xc2\xa0 contractors\xc2\xa0 commonly\xc2\xa0 are\xc2\xa0 employed\xc2\xa0 in\xc2\xa0 the\xc2\xa0 areas\xc2\xa0 of\xc2\xa0 design,\xc2\xa0 engineering,\xc2\xa0 development,\xc2\xa0 deployment,\xc2\xa0\n                              and\xc2\xa0 support\xc2\xa0 functions.\xc2\xa0\xc2\xa0 All\xc2\xa0 work\xc2\xa0 and\xc2\xa0 program\xc2\xa0 activities\xc2\xa0 performed\xc2\xa0 by\xc2\xa0 major\xc2\xa0 contractors\xc2\xa0 are\xc2\xa0 assigned\xc2\xa0 using\xc2\xa0\n                              the\xc2\xa0 program\xc2\xa0 baseline\xc2\xa0WBS\xc2\xa0 and\xc2\xa0 are\xc2\xa0 managed\xc2\xa0 using\xc2\xa0 EVM.\xc2\xa0\xc2\xa0 FAA\xc2\xa0 programs\xc2\xa0 required\xc2\xa0 to\xc2\xa0 use\xc2\xa0 EVM\xc2\xa0 must\xc2\xa0 include\xc2\xa0\n                              resources\xc2\xa0 for\xc2\xa0 all\xc2\xa0 major\xc2\xa0 contractor\xc2\xa0 effort\xc2\xa0 included\xc2\xa0 in\xc2\xa0 the\xc2\xa0 JRC\xe2\x80\x90approved\xc2\xa0 program\xc2\xa0 baseline.\xc2\xa0\xc2\xa0 When\xc2\xa0 a\xc2\xa0 program\xc2\xa0\n                              awards\xc2\xa0a\xc2\xa0contract\xc2\xa0greater\xc2\xa0than\xc2\xa0$10M\xc2\xa0for\xc2\xa0development,\xc2\xa0modernization,\xc2\xa0and\xc2\xa0enhancement\xc2\xa0work,\xc2\xa0the\xc2\xa0contract\xc2\xa0\n                              effort\xc2\xa0is\xc2\xa0managed\xc2\xa0by\xc2\xa0an\xc2\xa0EVMS.\xc2\xa0\xc2\xa0A\xc2\xa0Contractor\xc2\xa0Performance\xc2\xa0Report\xc2\xa0(CPR)\xc2\xa0and\xc2\xa0Integrated\xc2\xa0Master\xc2\xa0Schedule\xc2\xa0(IMS)\xc2\xa0\n                              are\xc2\xa0 obtained\xc2\xa0 consistent\xc2\xa0 with\xc2\xa0the\xc2\xa0 JRC\xe2\x80\x90approved\xc2\xa0 OMB\xe2\x80\x90300.\xc2\xa0These\xc2\xa0 reports\xc2\xa0 may\xc2\xa0 be\xc2\xa0 tailored\xc2\xa0 and\xc2\xa0 customized\xc2\xa0 in\xc2\xa0\n                              accordance\xc2\xa0 with\xc2\xa0 their\xc2\xa0 respective\xc2\xa0Data\xc2\xa0 Item\xc2\xa0 Descriptions\xc2\xa0 (DID),\xc2\xa0 specific\xc2\xa0 program\xc2\xa0 risks,\xc2\xa0 and\xc2\xa0 performance\xc2\xa0\n                              measurement\xc2\xa0 metrics/reports\xc2\xa0 included\xc2\xa0 in\xc2\xa0 the\xc2\xa0 OMB\xe2\x80\x90300.\xc2\xa0 \xc2\xa0 The\xc2\xa0 contractually\xc2\xa0 required\xc2\xa0 EVMS\xc2\xa0 used\xc2\xa0 by\xc2\xa0 each\xc2\xa0\n                              contractor\xc2\xa0must\xc2\xa0meet\xc2\xa0the\xc2\xa0guidelines\xc2\xa0in\xc2\xa0American\xc2\xa0National\xc2\xa0Standard\xc2\xa0ANSI/EIA\xe2\x80\x90748\xc2\xa0and\xc2\xa0be\xc2\xa0certified.\xc2\xa0\n    Support\xc2\xa0Contractors\xc2\xa0      Support\xc2\xa0 contractors\xc2\xa0 commonly\xc2\xa0 perform\xc2\xa0 support\xc2\xa0 roles\xc2\xa0 in\xc2\xa0 one\xc2\xa0 or\xc2\xa0 more\xc2\xa0 areas\xc2\xa0 of\xc2\xa0 program\xc2\xa0 management,\xc2\xa0\n                              engineering,\xc2\xa0 configuration\xc2\xa0 management,\xc2\xa0 test,\xc2\xa0 and\xc2\xa0 logistics.\xc2\xa0\xc2\xa0 All\xc2\xa0 work\xc2\xa0 and\xc2\xa0 program\xc2\xa0 activities\xc2\xa0 performed\xc2\xa0 by\xc2\xa0\n                              support\xc2\xa0 contractors\xc2\xa0 are\xc2\xa0 assigned\xc2\xa0 using\xc2\xa0 the\xc2\xa0 program\xc2\xa0baseline\xc2\xa0WBS\xc2\xa0 and\xc2\xa0 are\xc2\xa0 managed\xc2\xa0 using\xc2\xa0 EVM.\xc2\xa0\xc2\xa0 FAA\xc2\xa0\n                              programs\xc2\xa0required\xc2\xa0to\xc2\xa0use\xc2\xa0EVM\xc2\xa0must\xc2\xa0include\xc2\xa0resources\xc2\xa0for\xc2\xa0all\xc2\xa0support\xc2\xa0contractor\xc2\xa0effort\xc2\xa0included\xc2\xa0in\xc2\xa0the\xc2\xa0JRC\xe2\x80\x90\n                              approved\xc2\xa0 program\xc2\xa0 baseline.\xc2\xa0\xc2\xa0 Implementation\xc2\xa0 of\xc2\xa0 EVM\xc2\xa0 on\xc2\xa0 support\xc2\xa0 contractor\xc2\xa0 effort\xc2\xa0 must\xc2\xa0 be\xc2\xa0 consistent\xc2\xa0 with\xc2\xa0\n                              AMS\xc2\xa0Earned\xc2\xa0Value\xc2\xa0Management\xc2\xa0policy.\xc2\xa0\xc2\xa0\xc2\xa0\n    Small\xc2\xa0contracts\xc2\xa0and\xc2\xa0      When\xc2\xa0 a\xc2\xa0 program\xc2\xa0 awards\xc2\xa0 a\xc2\xa0 contract\xc2\xa0 less\xc2\xa0 than\xc2\xa0 $10M\xc2\xa0 for\xc2\xa0 DME\xc2\xa0 work,\xc2\xa0 the\xc2\xa0 contract\xc2\xa0 may\xc2\xa0 be\xc2\xa0 managed\xc2\xa0 using\xc2\xa0 an\xc2\xa0\n      subcontracts\xc2\xa0           EVMS\xc2\xa0following\xc2\xa0the\xc2\xa0optional\xc2\xa0policy\xc2\xa0guidelines\xc2\xa0outlined\xc2\xa0in\xc2\xa0AMS.\xc2\xa0\xc2\xa0A\xc2\xa0CPR\xc2\xa0and\xc2\xa0IMS\xc2\xa0are\xc2\xa0optional\xc2\xa0requirements\xc2\xa0on\xc2\xa0\n                              the\xc2\xa0contract.\xc2\xa0\xc2\xa0IBRs\xc2\xa0may\xc2\xa0be\xc2\xa0performed\xc2\xa0to\xc2\xa0ensure\xc2\xa0planning\xc2\xa0is\xc2\xa0adequate.\xc2\xa0\xc2\xa0The\xc2\xa0EVMS,\xc2\xa0if\xc2\xa0required,\xc2\xa0should\xc2\xa0follow\xc2\xa0\n                              the\xc2\xa0guidelines\xc2\xa0of\xc2\xa0American\xc2\xa0National\xc2\xa0Standard\xc2\xa0ANSI/EIA\xe2\x80\x90748,\xc2\xa0and\xc2\xa0a\xc2\xa0certification\xc2\xa0of\xc2\xa0the\xc2\xa0EVMS\xc2\xa0may\xc2\xa0be\xc2\xa0required.\xc2\xa0\n\n\nThe FAA also requires the use of a standard lifecycle WBS. The use of EVMS during the planning\nphases (WBS 1.0 and 2.0) is considered by FAA management to be a best practice when the work\ninvolves prototyping or testing software. EVM is used during the solution development phase (WBS\n3.0), solution implementation phase (WBS 4.0), and in service management phase activities (WBS 5.0).\nThe FAA also has provided guidance on program management practices such as Quality Assurance for\nProgram Management, Measurement and Analysis, Evaluation (Verification), Requirements, Risk\nManagement, Program Management, and Contractor Management.\n\nEVM Tools and Technology\n\nEVM tools consist of the tools used to create and manage the cost and schedule of projects, including\nthose for developing WBS elements, tracking the completion of project activities, and performing EVM\nrelated calculations (e.g., cost variance (CV), cost performance index (CPI), schedule variance (SV),\nschedule performance index (SPI)). Currently, there are no prescribed or standard tools selected by OST\nfor managing projects, performing project level EVM calculations or reporting EVM data.\n\n\nAppendix A. KPMG LLP Report                                                                                                            Page 12\n\x0c                                                                                                                  22\n\n\n                                                                                                FINAL REPORT\n\nAcross the OAs, management informed us that each project is managed differently and the tools used to\nreport EVM data may also differ for the IT investments. For the majority, the modes and investments use\nMicrosoft Excel to calculate or report the EVM data and the project WBS and schedule of activities are\nmanaged within Microsoft Project or, with the case of FAA, Primavera. A breakdown of the various\ntools used to report project information and EVM data is included in Table 7 below.\n\n                                 Table 7: EVM tools and technology across modes and IT investments\n       Mode\xc2\xa0or\xc2\xa0(Investment)\xc2\xa0         EVM\xc2\xa0calculations/reporting\xc2\xa0    EVM\xc2\xa0portfolio\xc2\xa0reporting\xc2\xa0    Schedule\xc2\xa0/\xc2\xa0WBS\xc2\xa0\n                                           (project\xc2\xa0level)\xc2\xa0\n      FAA\xc2\xa0\xc2\xa0(ATOP)\xc2\xa0(ATM/TFM)\xc2\xa0                  MS\xc2\xa0Excel\xc2\xa0            eCPIC\xc2\xa0/\xc2\xa0Worklenz\xc2\xa0(FY2009)\xc2\xa0     MS\xc2\xa0Project\xc2\xa0\n           (ASOS/AWOS)\xc2\xa0                           \xc2\xa0                                               Primavera\xc2\xa0\n                 \xc2\xa0                                \xc2\xa0\n            FAA\xc2\xa0(TAMR)\xc2\xa0                      Primavera\xc2\xa0\n               OST\xc2\xa0                           MS\xc2\xa0Excel\xc2\xa0            eCPIC\xc2\xa0/\xc2\xa0Worklenz\xc2\xa0(FY2009)\xc2\xa0     MS\xc2\xa0Project\xc2\xa0\n     FHWA,\xc2\xa0NHTSA,\xc2\xa0MARAD,\xc2\xa0FRA,\xc2\xa0                MS\xc2\xa0Excel\xc2\xa0                     eCPIC\xc2\xa0                MS\xc2\xa0Project\xc2\xa0\n       RITA,\xc2\xa0PHMSA\xc2\xa0(SMART)\xc2\xa0\nFMCSA\xc2\xa0(FMCSA\xc2\xa0Modernization)\xc2\xa0                  MS\xc2\xa0Excel\xc2\xa0                     eCPIC\xc2\xa0                MS\xc2\xa0Project\xc2\xa0\n                                                                                                   MS\xc2\xa0Excel\xc2\xa0\n\n\nAccording to OA management, for the EVM data being reported through MS Excel, controls to prevent\nunauthorized changes to these tools have not been identified to protect the EVM data validity or integrity.\nWe have included this weakness in the Findings section of this report.\n\n\nEVM Implementation and Performance\nThe effective use of EVM requires that it is used on projects where the principles of good project\nmanagement are being applied. Project management is primarily a matter of planning and controlling\nwork. 12 EVM considerations through each project include the following:\n\n         Project Process \xe2\x80\x93 Planning\n       \xef\x83\x98 Standard EVMS requirements exist in contracts for major investments - This consideration helps\n         ensure that applicable contractor statements of work (SOW) include EVM policy requirements.\n         This is a requirement by the Office of Management and Budget (OMB).\n       \xef\x83\x98 EVMS system certification should be performed for major investments \xe2\x80\x93 This consideration helps\n         ensure that the EVMS being used by the contractor has been thoroughly evaluated by the\n         government and adheres to requirements established in relevant policies and SOW (e.g.,\n         ANSI/EIA 748). This is a requirement by OMB.\n       \xef\x83\x98 Standard work breakdown structure (WBS) and practices are used for major investments \xe2\x80\x93 This\n         consideration helps ensure that a consistent and repeatable manner is used to decompose work,\n         estimate resource requirements for project work elements, estimate project activity duration and\n         sequencing, establish EVM credit techniques, and assign work elements within the WBS through\n\n       \xef\x83\x98 the use of Organizational Breakdown Structures (OBS) 13 and Responsibility Assignment\n         Matrices (RAM) 14 . This is considered a leading practice but is not a requirement.\n\n\n12\n  Project Management Institute (PMI) Standard for Earned Value Management, 2005.\n13\n  An Organizational Breakdown Structure (OBS) depicts the organization hierarchy, allowing the project\xe2\x80\x99s work\npackages to be related to be performing organizational units. Source: PMI\xe2\x80\x99s Practice Standard for Work Breakdown\nStructures, 2nd edition.\nAppendix A. KPMG LLP Report                                                                              Page 13\n\x0c                                                                                                            23\n\n\n                                                                                               FINAL REPORT\n\n\n       Project Process \xe2\x80\x93 Controlling\n     \xef\x83\x98 EVMS system surveillance should be used for contractors managing EVMS for major investments\n       \xe2\x80\x93This consideration helps ensure that the EVMS being used by contractors, through EVM\n       reporting and periodic evaluation, continue to meet EVMS certification and SOW requirements.\n       This is a requirement by OMB.\n\n\n     \xef\x83\x98 EVMS is analyzed minimally monthly in accordance with OST\xe2\x80\x99s requirement - This consideration\n        helps ensure that EVM data is being evaluated on a consistent monthly basis, per OST\n        requirements. This is considered a leading practice but is not a requirement.\n\n\nAs noted above, these EVM implementation and performance practices either are required by OMB\npolicy, DOT policy, or are related to industry-based practices. We evaluated these EVM related attributes\nacross each mode and IT investment in order to verify the implementation and performance is contained\nin Table 8 below.\n\n\n\n\n14\n  A Responsibility Assignment Matrix (RAM) is a structure that relates the project OBS to the WBS to help ensure\nthat each component on the project\xe2\x80\x99s scope of work is assigned to a responsible person/team. Source: PMI\xe2\x80\x99s\nPractice Standard for Work Breakdown Structures, 2nd edition.\nAppendix A. KPMG LLP Report                                                                           Page 14\n\x0c                                                                                                                                 24\n\n\n                                                                                                              FINAL REPORT\n\n              Table 8: EVMS Implementation & Performance Management by Mode/Investments 15\n Project\xc2\xa0Processes\xc2\xa0                      Planning\xc2\xa0                                             Controlling\xc2\xa0\n\n                        Standard\xc2\xa0EVMS\xc2\xa0\n                                                            Standard\xc2\xa0\n                           contract\xc2\xa0     EVMS\xc2\xa0system\xc2\xa0\n                                                            WBS\xc2\xa0for\xc2\xa0        EVMS\xc2\xa0contractor\xc2\xa0\n      Mode\xc2\xa0/\xc2\xa0EVM\xc2\xa0         language\xc2\xa0       certification\xc2\xa0\n                                                             major\xc2\xa0       surveillance\xc2\xa0required\xc2\xa0      EVMS\xc2\xa0analysis\xc2\xa0frequency\xc2\xa0\n        attribute\xc2\xa0       required\xc2\xa0for\xc2\xa0     required\xc2\xa0\n                                                           investments\xc2\xa0           (Y/N)\xc2\xa0\n                           majors\xc2\xa0           (Y/N)\xc2\xa0\n                                                              (Y/N)\xc2\xa0\n                            (Y/N)\xc2\xa0\n\n          FAA\xc2\xa0                Y\xc2\xa0                Y\xc2\xa0              Y\xc2\xa0                  Y\xc2\xa0                        Monthly\xc2\xa0\n\n          OST\xc2\xa0                Y\xc2\xa0               N\xc2\xa0               N\xc2\xa0                 N\xc2\xa0                         Monthly\xc2\xa0\n\n         FMCSA\xc2\xa0               Y\xc2\xa0               N\xc2\xa0               Y\xc2\xa0                 N\xc2\xa0                         Monthly\xc2\xa0\n\n         NHTSA\xc2\xa0               N\xc2\xa0               \xc2\xa0N\xc2\xa0              Y\xc2\xa0                 N\xc2\xa0                         Quarterly\xc2\xa0\n\n         PHMSA\xc2\xa0               N\xc2\xa0               N\xc2\xa0               N\xc2\xa0                 N\xc2\xa0                         Monthly\xc2\xa0\n\n                        Standard\xc2\xa0EVMS\xc2\xa0                      Standard\xc2\xa0\n                                         EVMS\xc2\xa0system\xc2\xa0\n                           contract\xc2\xa0                        WBS\xc2\xa0for\xc2\xa0        EVMS\xc2\xa0contractor\xc2\xa0\n     IT\xc2\xa0investment\xc2\xa0/\xc2\xa0                     certification\xc2\xa0\n                         language\xc2\xa0for\xc2\xa0                       major\xc2\xa0       surveillance\xc2\xa0required\xc2\xa0      EVMS\xc2\xa0analysis\xc2\xa0frequency\xc2\xa0\n     EVM\xc2\xa0attribute\xc2\xa0                        required\xc2\xa0\n                           majors\xc2\xa0                         investments\xc2\xa0           (Y/N)\xc2\xa0\n                                             (Y/N)\xc2\xa0\n                            (Y/N)\xc2\xa0                            (Y/N)\xc2\xa0\n      FAA\xc2\xa0(TAMR)\xc2\xa0             Y\xc2\xa0               N\xc2\xa0               Y\xc2\xa0                  Y\xc2\xa0                        Monthly\xc2\xa0\n\n\n FAA\xc2\xa0(ASOS/AWOS)\xc2\xa0             N\xc2\xa0               N\xc2\xa0               Y\xc2\xa0                  Y\xc2\xa0                        Monthly\xc2\xa0\n\n\n       FAA\xc2\xa0(ATOP)\xc2\xa0            N\xc2\xa0                Y\xc2\xa0              Y\xc2\xa0                 N\xc2\xa0                         Monthly\xc2\xa0\n\n\n     FAA\xc2\xa0(ATM/TFM)\xc2\xa0           Y\xc2\xa0                Y\xc2\xa0              Y\xc2\xa0                 N\xc2\xa0                         Monthly\xc2\xa0\n\n\n     PHMSA\xc2\xa0(SMART)\xc2\xa0           N\xc2\xa0               N\xc2\xa0               N\xc2\xa0                 N\xc2\xa0                         Monthly\xc2\xa0\n\n\n     FMCSA\xc2\xa0(FMCSA\xc2\xa0            N\xc2\xa0               N\xc2\xa0               Y\xc2\xa0                 N\xc2\xa0                         Monthly\xc2\xa0\n     Modernization)\xc2\xa0\nThis analysis indicates that the modes and investments are inconsistently applying EVMS implementation\nand performance practices. With regard to the modes,\n\n\xef\x82\xb7      PHMSA, and NHTSA did not fully specify standard EVMS contract language for investments;\n\xef\x82\xb7      OST, NHTSA, FMCSA, and PHMSA did not fully enforce EVMS certification over contractor\n       operated EVMS;\n\xef\x82\xb7      OST and PHMSA do not use a standard WBS for major IT investments;\n\xef\x82\xb7\n\n15\n  FHWA and FTA management represents that for their mode, major investment(s) are in a steady state other than\ndevelopment, modernization or enhancement (DME) and do not require EVM; therefore the EVMS attributes listed\nin table 8 above currently are not in place. FRA and RITA management represents that EVMS is not currently\nrequired based on the investment tier of their major investments as required in the DOT EVM policy. Finally,\nMARAD management represents that there are no major investments currently in their portfolio; therefore, EVMS is\nnot required.\nAppendix A. KPMG LLP Report                                                                                           Page 15\n\x0c                                                                                                        25\n\n\n                                                                                          FINAL REPORT\n\n\xef\x82\xb7   OST, NHTSA, FMCSA, and PHMSA did not fully implement EVMS contractor surveillance\n    practices;\n\xef\x82\xb7   NHTSA EVMS reporting frequency is not being performed monthly, as prescribed by OST.\n\nFor the investments we analyzed,\n\xef\x82\xb7 ASOS/AWOS, ATOP, SMART and FMCSA Modernization IT investments did not fully specify\n    standard EVMS contractor language. For example,\n    o In the IAA with the National Weather Service (NWS), the ASOS/AWOS program does not\n        contain any provisions for EVMS or the data required to be collected in order to support FAA\n        EVMS measurements.\n    o For contract line item number (CLIN) 7270, several ATOP statements of work do not contain\n        EVMS reporting requirements. While EVMS was not required in the statements of work, EVMS\n        is a requirement in the prime contract.\n    o In the Inter-Agency Agreement (IAA) with the Volpe Center for the SMART investment, EVMS\n        reporting requirements are unclear such as what EVM metrics are to be collected and at what\n        level of the project; what earned value credit techniques are to be used; what reporting formats are\n        to be used.\n    o For the FMCSA Modernization investment, the SOW does not contain requirements for EVMS to\n        be certified, be subject to surveillance, or consideration for EVM metrics and EVM credit\n        techniques.\n\xef\x82\xb7 TAMR, ASOS/AWOS, SMART and FMCSA Modernization IT investments did not fully enforce\n    EVMS certification. For example,\n    o While the EVMS for the contractor (Raytheon) for TAMR was DCMA certified on January 28,\n        2008, the FAA has not evaluated/audited the contractors EVMS specific to the STARS contracts\n        which includes TAMR nor have they fully accepted the DCMA validation.\n    o The ASOS/AWOS contractors EVMS is not certified. The contract was awarded prior to the\n        FAA Acquisition Management Policy requirement for contractor EVMS certification in 2005. In\n        addition, ASOS/AWOS had prepared a Plan of Action and Milestones (POAMs) to improve\n        EVM processes and procedures identified through surveillance activities to achieve EVM\n        compliancy; however, the implementation plan has not been developed.\n    o The SMART investment contractor\xe2\x80\x99s (i.e., the Volpe Center within DOT) EVMS has not been\n        certified consistent with ANSI standards, nor are their SOW requirements for this to occur.\n    o The FMCSA Modernization EVMS has not been certified.\n\xef\x82\xb7 SMART has not fully considered the use of a standard WBS.\n\xef\x82\xb7 ATOP, ATM/TFM, SMART and FMCSA Modernization IT investments did not fully implement\n    EVMS surveillance. For example,\n    o EVMS reporting requirements have not been prescribed by the ATOP program for their prime\n        contractor. Reporting requirements have continued to emerge as the projects continues to run.\n    o Management represents that, although standard reporting is used for the ATM/TFM investment,\n        SMART investment and FMCSA Modernization investment, EVMS surveillance is not occurring\n        to help ensure the EVMS continues to meet required standards (e.g., ANSI/EIA STD 748).\n\n\n\n\nAppendix A. KPMG LLP Report                                                                       Page 16\n\x0c                                                                                                       26\n\n                                                                                         FINAL REPORT\n\nThese weaknesses have been included in the Findings section of this report.\n\n\nGovernance for Estimating, Analyzing and Reporting Security Costs\n\nOST is responsible for providing policies and procedures over the modes for estimating, analyzing and\nreporting IT security costs. According to OST, there are no specific policies or procedures in place for\nestimating, tracking and reporting security costs. This includes provisions for distributing resources\nbased on assessed risks; provisions for using risk analysis, earned value and return on investment to\ndetermine which security controls should be funded and implemented; provisions for linking information\nsecurity expenditures to the strategy and mission of the program; provisions for linking the security costs\nto OMB A-11 categories; and provisions for developing a performance plan that addresses security\nresources including budget, staffing and training. This weakness is included in the Findings section of\nthis report. In 2003, OST provided the Cost Estimating Tool for Information Security (CETIS) for use by\nall OAs; however, management represents that the figure being estimated by the tool was above any\nhistorical estimates, so the tool was discontinued because OST would not approve the requested amounts.\nSubsequently, the OAs used a fixed percentage to represent estimated security costs; however, all of the\nOAs requested the same percentage.\n\nAcross the modes, management represents that historical information and a risk-based approach to\naddressing security weaknesses are being used to estimate security costs. The major IT investments\nfollow the modes methods for estimating security costs (i.e., TAMR, ASOS/AWOS, ATOP and\nATM/TFM follow FAA, SMART follows PHMSA, and FMCSA Modernization follows FMCSA).\nThese security costs are funded through the investment that has to address security weakness, are\ncentrally funded through the program office if they are broader scope security costs, or a combination of\nthe both. Table 9 contains a summary of how management represents each mode is reporting their\nsecurity costs as (A) embedded into project budgets, (B) funded separately, or (C) both.\n\n\n\n\nAppendix A. KPMG LLP Report                                                                      Page 17\n\x0c                                                                                                                                              27\n\n\n                                                                                                                         FINAL REPORT\n\n                                                        Table 9: Security Cost Estimating and Reporting by Mode\nMode/Investment\xc2\xa0      \xc2\xa0Policy\xc2\xa0for\xc2\xa0                      Security\xc2\xa0related\xc2\xa0costs\xc2\xa0                          (A)\xc2\xa0Security\xc2\xa0embedded\xc2\xa0in\xc2\xa0projects\xc2\xa0\n                      developing\xc2\xa0\n                       security\xc2\xa0                                                                           (B)\xc2\xa0Security\xc2\xa0funded\xc2\xa0separately\xc2\xa0\n                      estimates?\xc2\xa0                                                                                     (C)\xc2\xa0Both\xc2\xa0\xc2\xa0\n                        (Y/N)\xc2\xa0\n\n       OST\xc2\xa0               N\xc2\xa0         Mode\xe2\x80\x90level:\xc2\xa0Security\xc2\xa0awareness\xc2\xa0training,\xc2\xa0privacy\xc2\xa0training,\xc2\xa0                       C\xc2\xa0\nMajor\xc2\xa0Investment:\xc2\xa0\xc2\xa0                  and\xc2\xa0FISMA\xc2\xa0reporting\xc2\xa0tool\xc2\xa0use\xc2\xa0(i.e.,\xc2\xa0DOJ\xe2\x80\x99s\xc2\xa0CSAM).\xc2\xa0\xc2\xa0Funds\xc2\xa0are\xc2\xa0              Major\xc2\xa0investment:\xc2\xa0\n  IT\xc2\xa0Combined\xc2\xa0                       requested\xc2\xa0by\xc2\xa0OST\xc2\xa0from\xc2\xa0the\xc2\xa0OAs\xc2\xa0for\xc2\xa0these\xc2\xa0services.\xc2\xa0               System\xc2\xa0POA&Ms\xc2\xa0go\xc2\xa0with\xc2\xa0the\xc2\xa0investment\xc2\xa0\n Infrastructure\xc2\xa0                     \xc2\xa0\n                                     Major\xc2\xa0Investments:\xc2\xa0The\xc2\xa0cost\xc2\xa0of\xc2\xa0activities\xc2\xa0associated\xc2\xa0with\xc2\xa0\n                                     certification\xc2\xa0and\xc2\xa0accreditation,\xc2\xa0risk\xc2\xa0assessment,\xc2\xa0and\xc2\xa0risk\xc2\xa0\n                                     mitigation.\xc2\xa0\n      FAA\xc2\xa0                N\xc2\xa0         Each\xc2\xa0individual\xc2\xa0investment\xc2\xa0team\xc2\xa0manages\xc2\xa0security\xc2\xa0costs\xc2\xa0as\xc2\xa0                         C\xc2\xa0\n     Major\xc2\xa0                          part\xc2\xa0of\xc2\xa0the\xc2\xa0entire\xc2\xa0program\xe2\x80\x99s\xc2\xa0life\xe2\x80\x90cycle\xc2\xa0cost.\xc2\xa0Specific\xc2\xa0costs\xc2\xa0             Major\xc2\xa0investment\xc2\xa0(s):\xc2\xa0\n Investment(s):\xc2\xa0\xc2\xa0                    include,\xc2\xa0among\xc2\xa0others,\xc2\xa0as\xc2\xa0appropriate:\xc2\xa0                          \xc2\xa0System\xc2\xa0POA&Ms\xc2\xa0go\xc2\xa0with\xc2\xa0the\xc2\xa0investment\xc2\xa0\nTAMR,\xc2\xa0ATM/TFM,\xc2\xa0                      \xef\x82\xb7    Risk\xc2\xa0assessment\xc2\xa0                                                               \xc2\xa0\n     ATOP,\xc2\xa0\n  ASOS/AWOS\xc2\xa0                         \xef\x82\xb7    Certification\xc2\xa0and\xc2\xa0accreditation\xc2\xa0\n                                     \xef\x82\xb7    Specific\xc2\xa0security\xc2\xa0controls\xc2\xa0\n                                     \xef\x82\xb7    Authentication\xc2\xa0or\xc2\xa0cryptographic\xc2\xa0applications\xc2\xa0\n                                     \xef\x82\xb7    Education,\xc2\xa0awareness,\xc2\xa0and\xc2\xa0training\xc2\xa0\n                                     \xef\x82\xb7    Contingency\xc2\xa0planning\xc2\xa0and\xc2\xa0testing\xc2\xa0\n                                     \xef\x82\xb7    Physical\xc2\xa0controls\xc2\xa0for\xc2\xa0hardware\xc2\xa0and\xc2\xa0software\xc2\xa0\n     FMCSA\xc2\xa0               N\xc2\xa0         Government\xc2\xa0FTEs\xc2\xa0in\xc2\xa0IT\xc2\xa0Security;\xc2\xa0contractors\xc2\xa0supporting\xc2\xa0IT\xc2\xa0                        C\xc2\xa0\nMajor\xc2\xa0Investment:\xc2\xa0                   Security;\xc2\xa0WBS\xc2\xa0items\xc2\xa0in\xc2\xa0EVM\xc2\xa0systems\xc2\xa0that\xc2\xa0align\xc2\xa0with\xc2\xa0the\xc2\xa0                  Major\xc2\xa0investment\xc2\xa0(s):\xc2\xa0\n     FMCSA\xc2\xa0                          WBS\xc2\xa0dictionary\xc2\xa0for\xc2\xa0IT\xc2\xa0Security.\xc2\xa0                                 System\xc2\xa0POA&Ms\xc2\xa0go\xc2\xa0with\xc2\xa0the\xc2\xa0investment\xc2\xa0\n Modernization\xc2\xa0                                                                                                         \xc2\xa0\n       FTA\xc2\xa0               N\xc2\xa0         (Security)\xc2\xa0The\xc2\xa0cyclical\xc2\xa0schedule\xc2\xa0for\xc2\xa0security\xc2\xa0\xe2\x80\x9c\xc2\xa0Certification\xc2\xa0                    C\xc2\xa0\n                                     and\xc2\xa0Accreditation\xe2\x80\x9d;\xc2\xa0data\xc2\xa0encryption\xc2\xa0requirements;\xc2\xa0               System\xc2\xa0POA&Ms\xc2\xa0go\xc2\xa0with\xc2\xa0the\xc2\xa0investment\xc2\xa0\n                                     compliance\xc2\xa0with\xc2\xa0HSPD\xe2\x80\x9012,\xc2\xa0compliance\xc2\xa0with\xc2\xa0E\xe2\x80\x90                                        \xc2\xa0\n                                     Authentication\xc2\xa0standards;\xc2\xa0and\xc2\xa0corrective\xc2\xa0actions\xc2\xa0based\xc2\xa0on\xc2\xa0\n                                     IG,\xc2\xa0GAO,\xc2\xa0C&A,\xc2\xa0FMFIA\xc2\xa0audits\xc2\xa0are\xc2\xa0inputs\xc2\xa0to\xc2\xa0security\xc2\xa0costs\xc2\xa0for\xc2\xa0\n                                     an\xc2\xa0Information\xc2\xa0Technology\xc2\xa0Investment.\xc2\xa0\n     FHWA\xc2\xa0                N\xc2\xa0         Operational\xc2\xa0Cost,\xc2\xa0to\xc2\xa0maintain\xc2\xa0security\xc2\xa0controls\xc2\xa0costs\xc2\xa0and\xc2\xa0                       C\xc2\xa0\n                           \xc2\xa0         to\xc2\xa0comply\xc2\xa0with\xc2\xa0FISMA\xc2\xa0(NIST\xc2\xa0SP\xe2\x80\x90800\xe2\x80\x9053\xc2\xa0annual\xc2\xa0control\xc2\xa0             System\xc2\xa0POA&Ms\xc2\xa0go\xc2\xa0with\xc2\xa0the\xc2\xa0investment\xc2\xa0\n                                     testing,\xc2\xa0annual\xc2\xa0DR\xc2\xa0testing,\xc2\xa0security\xc2\xa0plan\xc2\xa0review,\xc2\xa0etc.).\xc2\xa0\xc2\xa0It\xc2\xa0\n                                     also\xc2\xa0depends\xc2\xa0on\xc2\xa0other\xc2\xa0annual\xc2\xa0DOT\xc2\xa0and\xc2\xa0OMB\xc2\xa0\n                                     requirements.\xc2\xa0\n      RITA\xc2\xa0               N\xc2\xa0         The\xc2\xa0cost\xc2\xa0of\xc2\xa0activities\xc2\xa0associated\xc2\xa0with\xc2\xa0certification\xc2\xa0and\xc2\xa0                            B\xc2\xa0\n                           \xc2\xa0         accreditation,\xc2\xa0risk\xc2\xa0assessment,\xc2\xa0and\xc2\xa0risk\xc2\xa0mitigation.\xc2\xa0            Most\xc2\xa0security\xc2\xa0costs\xc2\xa0are\xc2\xa0borne\xc2\xa0at\xc2\xa0the\xc2\xa0RITA\xc2\xa0\n                                                                                                      CIO\xc2\xa0level\xc2\xa0and\xc2\xa0not\xc2\xa0embedded\xc2\xa0in\xc2\xa0the\xc2\xa0project\xc2\xa0\n                                                                                                                       budgets.\xc2\xa0\n       FRA\xc2\xa0               N\xc2\xa0         FRA\xc2\xa0develops\xc2\xa0cost\xc2\xa0estimations\xc2\xa0based\xc2\xa0on\xc2\xa0historical\xc2\xa0                                   C\xc2\xa0\n                                     information\xc2\xa0for\xc2\xa0the\xc2\xa0program,\xc2\xa0remediation\xe2\x80\x99s\xc2\xa0required\xc2\xa0(if\xc2\xa0         System\xc2\xa0POA&Ms\xc2\xa0go\xc2\xa0with\xc2\xa0the\xc2\xa0investment.\xc2\xa0\n                                     any)\xc2\xa0and\xc2\xa0economies\xc2\xa0of\xc2\xa0scale\xc2\xa0for\xc2\xa0shared\xc2\xa0components.\xc2\xa0                                   \xc2\xa0\n                                     \xc2\xa0\n    PHMSA\xc2\xa0                N\xc2\xa0         PHMSA\xc2\xa0PMs\xc2\xa0work\xc2\xa0with\xc2\xa0the\xc2\xa0ISSO\xc2\xa0and\xc2\xa0CIO\xc2\xa0team\xc2\xa0to\xc2\xa0help\xc2\xa0                                 A\xc2\xa0\nMajor\xc2\xa0Investment:\xc2\xa0                   ensure\xc2\xa0security\xc2\xa0costs\xc2\xa0are\xc2\xa0funded.\xc2\xa0\xc2\xa0This\xc2\xa0includes\xc2\xa0C&A\xc2\xa0                      Major\xc2\xa0Investment:\xc2\xa0\xc2\xa0\n    SMART\xc2\xa0                           activities\xc2\xa0and\xc2\xa0completing\xc2\xa0POA&Ms.\xc2\xa0                               System\xc2\xa0POA&Ms\xc2\xa0go\xc2\xa0with\xc2\xa0the\xc2\xa0investment.\xc2\xa0\n                                     \xc2\xa0\n     NHTSA\xc2\xa0               N\xc2\xa0         Risk\xc2\xa0assessments\xc2\xa0performed\xc2\xa0in\xc2\xa0eRAMS\xc2\xa0identify\xc2\xa0risks\xc2\xa0that\xc2\xa0                             C\xc2\xa0\n                                     map\xc2\xa0to\xc2\xa0individual\xc2\xa0800\xe2\x80\x9053\xc2\xa0security\xc2\xa0controls\xc2\xa0which\xc2\xa0are\xc2\xa0in\xc2\xa0         System\xc2\xa0POA&Ms\xc2\xa0go\xc2\xa0with\xc2\xa0the\xc2\xa0investment\xc2\xa0\n                                     turn\xc2\xa0evaluated\xc2\xa0for\xc2\xa0mitigation\xc2\xa0potential,\xc2\xa0to\xc2\xa0include\xc2\xa0costs.\xc2\xa0                       typically\xc2\xa0\n                                     \xc2\xa0                                                                                     \xc2\xa0\n     MARAD\xc2\xa0               N\xc2\xa0         Security\xc2\xa0and\xc2\xa0Privacy\xc2\xa0issues\xc2\xa0are\xc2\xa0addressed.\xc2\xa0\xc2\xa0A\xc2\xa0privacy\xc2\xa0                               C\xc2\xa0\n                                     impact\xc2\xa0assessment\xc2\xa0is\xc2\xa0provided\xc2\xa0when\xc2\xa0applicable,\xc2\xa0and\xc2\xa0                Security\xc2\xa0is\xc2\xa0included\xc2\xa0within\xc2\xa0projects.\xc2\xa0\n                                     certification\xc2\xa0and\xc2\xa0accreditation\xc2\xa0is\xc2\xa0conducted\xc2\xa0for\xc2\xa0all\xc2\xa0IT\xc2\xa0             Currently\xc2\xa0C&A\xc2\xa0efforts\xc2\xa0are\xc2\xa0funded\xc2\xa0\n                                     systems.\xc2\xa0                                                                        separately.\xc2\xa0\n\xc2\xa0\n\n\n\n\nAppendix A. KPMG LLP Report                                                                                                        Page 18\n\x0c                                                                                                         28\n\n\n                                                                                           FINAL REPORT\n\nFrom a policy standpoint, OST management represents that this is an area that needs greater attention.\nManagement represents that they have started evaluating security costs across the IT investment portfolio\nto begin gaining an understanding around what types of security areas are costing the agency the most\nmoney. For example, during this fiscal year (FY), management has started to evaluate the security costs\nover the IT portfolio and have potentially identified certification and accreditation (C&A) activities as one\nof the most expensive items related to IT security. As a result, management has represented that they\nwould consider reengineering the C&A process and promulgating these requirements to the modes with\nthe goal of creating a streamlined and consistent approach to performing C&A activities which should\nprovide a more predictable measure of security costs for estimating. In addition, management is\nconsidering collecting and estimating security costs across a common reporting format to be based on the\nNIST SP 800-53 control categories. Management believes this reporting format will provide insight into\nwhat security costs represent opportunities to improve the process of estimating security costs and\nrefining security related policy.\n\nWith regard to the IT Combined Infrastructure investment, the investment is a mixed lifecycle investment\nthat aggregates DOT IT infrastructure and office automation expenditures into a single Exhibit 300\nsubmission to OMB. There are currently 43 investments from 12 subordinate administrations (see Table\n10) that contribute to this consolidated investment. This includes 12 investments, which account for\nsubordinate Operating Administration participation in the DOT Common Operating Environment and\ntheir investment in Common IT Services that are available across the Department. This investment also\nincludes alternative criteria and performance results of the IT consolidation activities and steady state\noperations of the newly established DOT Consolidated Operating Environment (COE) as well as FAA IT\nconsolidation and cost containment efforts. The investment also includes planning activities for the\nextension of the COE to DOT field sites (excluding FAA). The investment excludes infrastructure\ntelecommunications services that is considered mission specific.\n\nFor the 12 COE investments, these security costs are funded through the Working Capital Fund (WCF).\nThese investments are represented as \xe2\x80\x9cCommon IT Services\xe2\x80\x9d in the table below. Management represents\nthat current security-related expenditures for the 12 represented OST security investments include:\n\n    1. A cost center named \xe2\x80\x9cInformation Assurance and Privacy\xe2\x80\x9d that includes the associated costs of an\n       Interagency agreement (IAA) with FAA to support the Cyber Security Management Center\n       (CSMC), FISMA training and reporting, and contractor support and HSPD-12 costs.\n    2. Network security costs are included in the \xe2\x80\x9cCampus Area Network\xe2\x80\x9d. This includes Security\n       Operations Center personnel as well as software and hardware security-related purchases.\n    3. There are security costs for messaging that are in \xe2\x80\x9cDirectory and Messaging Services\xe2\x80\x9d. This is\n       for software and appliances to protect against spam and viruses.\n    4. The cost center \xe2\x80\x9cEnterprise network operations Center\xe2\x80\x9d includes personnel who operate the\n       Network Operations Center.\n\nIn FY2010, the IT Combined Infrastructure has requested approximately $43M in funding, 21% of which\nrepresents IT security costs. Table 10 below contains the breakdown of the IT security costs for each of\nthe 43 investments.\n\n\n\n\nAppendix A. KPMG LLP Report                                                                        Page 19\n\x0c                                                                                                                                        29\n\n\n                                                                                                                     FINAL REPORT\n                                                  Table 10: IT Combined Infrastructure security spend by mode\n    Mode/Investment\xc2\xa0Name\xc2\xa0         IT\xc2\xa0Security\xc2\xa0dollars\xc2\xa0     Total\xc2\xa0Investment\xc2\xa0   %\xc2\xa0IT\xc2\xa0security\xc2\xa0of\xc2\xa0the\xc2\xa0    %\xc2\xa0IT\xc2\xa0Security\xc2\xa0of\xc2\xa0        Total\xc2\xa0#\xc2\xa0of\xc2\xa0\n                                      requested\xc2\xa0                budget\xc2\xa0          total\xc2\xa0investment\xc2\xa0     the\xc2\xa0IT\xc2\xa0Combined\xc2\xa0      representative\xc2\xa0\n                                                                                      request\xc2\xa0            Investment\xc2\xa0          investments\xc2\xa0\n                                 $\xc2\xa02,047,062.40\xc2\xa0\xc2\xa0        $\xc2\xa0\xc2\xa09,185,000.00\xc2\xa0\xc2\xa0     22.29\xc2\xa0                  4.74%\xc2\xa0               4\xc2\xa0\nOST\xc2\xa0                             \xc2\xa0                       \xc2\xa0\n\n                                 $\xc2\xa01,062,062.40\xc2\xa0\xc2\xa0        $\xc2\xa06,928,000.00\xc2\xa0\xc2\xa0      15.33\xc2\xa0                  \xc2\xa0                    \xc2\xa0\n        OSTXX777\xc2\xa0Common\xc2\xa0IT\xc2\xa0      \xc2\xa0                       \xc2\xa0                     \xc2\xa0\n     Services\xc2\xa0(CONSOLIDATED\xc2\xa0\n             WITH\xc2\xa0DOTXX070)\xc2\xa0\n\n                                 $957,000\xc2\xa0               $\xc2\xa0957,000.00\xc2\xa0\xc2\xa0        100\xc2\xa0                    \xc2\xa0                    \xc2\xa0\n    OSTXX041\xc2\xa0\xe2\x80\x90\xc2\xa0Logical\xc2\xa0Access\xc2\xa0   \xc2\xa0                       \xc2\xa0\n    Capability\xc2\xa0(CONSOLIDATED\xc2\xa0\n            WITH\xc2\xa0DOTXX070)\xc2\xa0\n\n                                 $\xc2\xa028,000.00\xc2\xa0            $\xc2\xa028,000.00\xc2\xa0          100\xc2\xa0\n    OSTXX043\xc2\xa0\xe2\x80\x93\xc2\xa0Cyber\xc2\xa0Security\xc2\xa0   \xc2\xa0                       \xc2\xa0\n         Management\xc2\xa0Center\xc2\xa0\n      (CSMC)\xc2\xa0(CONSOLIDATED\xc2\xa0\n             WITH\xc2\xa0DOTXX070)\xc2\xa0\n\n                                 $0.00\xc2\xa0                  $\xc2\xa0\xc2\xa01,272,000.00\xc2\xa0\xc2\xa0     0\xc2\xa0\n    WCFXX011:\xc2\xa0\xc2\xa0Departmental\xc2\xa0                             \xc2\xa0\n                        Print\xc2\xa0\n      services(CONSOLIDATED\xc2\xa0\n             WITH\xc2\xa0DOTXX070)\xc2\xa0\n\n                                 $\xc2\xa037,327,222.80\xc2\xa0\xc2\xa0       $\xc2\xa0105,454,000.00\xc2\xa0\xc2\xa0    35.4\xc2\xa0                   86.37%\xc2\xa0              13\xc2\xa0\nFAA\xc2\xa0                             \xc2\xa0                       \xc2\xa0\n\n\xc2\xa0\n\n                                 $879,912.80\xc2\xa0            $9,272,000\xc2\xa0           9.49\xc2\xa0                   \xc2\xa0                    \xc2\xa0\n       FAAXX777:\xc2\xa0Common\xc2\xa0IT\xc2\xa0\n     Services\xc2\xa0(CONSOLIDATED\xc2\xa0\n             WITH\xc2\xa0DOTXX070)\xc2\xa0\n\n                                 $\xc2\xa0643,500.00\xc2\xa0\xc2\xa0          $\xc2\xa012,870,000.00\xc2\xa0\xc2\xa0     5\xc2\xa0                      \xc2\xa0                    \xc2\xa0\n              FAAXX101:\xc2\xa0FAA\xc2\xa0     \xc2\xa0                       \xc2\xa0\n       ELECTRONIC\xc2\xa0MAIL\xc2\xa0[ATO\xc2\xa0\n      AN014]\xc2\xa0(CONSOLIDATED\xc2\xa0\n             WITH\xc2\xa0DOTXX070)\xc2\xa0\n\n                                 $\xc2\xa01,779,800.00\xc2\xa0\xc2\xa0        $\xc2\xa035,596,000.00\xc2\xa0\xc2\xa0     5\xc2\xa0\n              FAAXX199:\xc2\xa0ATO\xc2\xa0     \xc2\xa0                       \xc2\xa0\n    Workstations\xc2\xa0[ATO\xc2\xa0AN018\xc2\xa0\n               AN029\xc2\xa0AN033]\xc2\xa0\n        (CONSOLIDATED\xc2\xa0WITH\xc2\xa0\n                  DOTXX070)\xc2\xa0\n\n                                 $\xc2\xa017,360.00\xc2\xa0\xc2\xa0           $\xc2\xa0868,000.00\xc2\xa0\xc2\xa0        2\xc2\xa0\n      FAAXX202:\xc2\xa0\xc2\xa0AHR\xc2\xa0OFFICE\xc2\xa0     \xc2\xa0                       \xc2\xa0\n               AUTOMATION\xc2\xa0\n        (CONSOLIDATED\xc2\xa0WITH\xc2\xa0\n                  DOTXX070)\xc2\xa0\n\n    XX220:\xc2\xa0\xc2\xa0LAN\xc2\xa0SUPPORT\xc2\xa0FOR\xc2\xa0     $60,000\xc2\xa0                $600,000\xc2\xa0             10\xc2\xa0\n              THE\xc2\xa0ASSOCIATE\xc2\xa0\n        ADMINISTRATOR\xc2\xa0FOR\xc2\xa0\n         COMMERCIAL\xc2\xa0SPACE\xc2\xa0\n           TRANSPORTATION\xc2\xa0\n        (CONSOLIDATED\xc2\xa0WITH\xc2\xa0\n                  DOTXX070)\xc2\xa0\n\nAppendix A. KPMG LLP Report                                                                                                       Page 20\n\x0c                                                                                                                                           30\n\n\n                                                                                                                     FINAL REPORT\n\n Mode/Investment\xc2\xa0Name\xc2\xa0           IT\xc2\xa0Security\xc2\xa0dollars\xc2\xa0     Total\xc2\xa0Investment\xc2\xa0   %\xc2\xa0IT\xc2\xa0security\xc2\xa0of\xc2\xa0the\xc2\xa0     %\xc2\xa0IT\xc2\xa0Security\xc2\xa0of\xc2\xa0          Total\xc2\xa0#\xc2\xa0of\xc2\xa0\n                                     requested\xc2\xa0                budget\xc2\xa0           total\xc2\xa0investment\xc2\xa0    the\xc2\xa0IT\xc2\xa0Combined\xc2\xa0          representative\xc2\xa0\n                                                                                      request\xc2\xa0           Investment\xc2\xa0             investments\xc2\xa0\n                                $75,200\xc2\xa0                $1,504,000\xc2\xa0           5\xc2\xa0                      \xc2\xa0                     \xc2\xa0\nFAAXX231:\xc2\xa0\xc2\xa0ABA\xc2\xa0Operations\xc2\xa0\n          and\xc2\xa0Infrastructure\xc2\xa0\n    (CONSOLIDATED\xc2\xa0WITH\xc2\xa0\n                DOTXX070)\xc2\xa0\n\n                                $3,800\xc2\xa0                 $190,000\xc2\xa0             2\xc2\xa0\n        FAAXX261:\xc2\xa0\xc2\xa0ARP\xc2\xa0LAN\xc2\xa0\n    (CONSOLIDATED\xc2\xa0WITH\xc2\xa0\n                DOTXX070)\xc2\xa0\n\n                                $\xc2\xa033,600,000\xc2\xa0           $\xc2\xa033,600,000\xc2\xa0         100\xc2\xa0\n   FAAXX298:\xc2\xa0\xc2\xa0Information\xc2\xa0\n Systems\xc2\xa0Security\xc2\xa0Program\xc2\xa0\n    (CONSOLIDATED\xc2\xa0WITH\xc2\xa0\n                DOTXX070)\xc2\xa0\n\n                                $\xc2\xa068,274\xc2\xa0               $\xc2\xa03,793,000\xc2\xa0          1.8\xc2\xa0\n  FAAXX375:\xc2\xa0\xc2\xa0Aeronautical\xc2\xa0\n Center\xc2\xa0Office\xc2\xa0Automation\xc2\xa0\n  Support\xc2\xa0(CONSOLIDATED\xc2\xa0\n          WITH\xc2\xa0DOTXX070)\xc2\xa0\n\n                                $95,040\xc2\xa0                $1,584,000\xc2\xa0           6\xc2\xa0\n   FAAXX409:\xc2\xa0Aeronautical\xc2\xa0\n      Center\xc2\xa0Infrastructure\xc2\xa0\n             Modernization\xc2\xa0\n    (CONSOLIDATED\xc2\xa0WITH\xc2\xa0\n                DOTXX070)\xc2\xa0\n\n                                $4,760\xc2\xa0                 $238,000\xc2\xa0             2\xc2\xa0                      \xc2\xa0\n          FAAXX464:\xc2\xa0\xc2\xa0CMEL\xc2\xa0\n           LAN/WAN\xc2\xa0Office\xc2\xa0\n                Automation\xc2\xa0\n    (CONSOLIDATED\xc2\xa0WITH\xc2\xa0\n                DOTXX070)\xc2\xa0\n\n                                $0.00\xc2\xa0                  $\xc2\xa01,190,000\xc2\xa0          0\xc2\xa0\n            FAAXX620:\xc2\xa0ASH\xc2\xa0\n              Infrastructure\xc2\xa0\n    (CONSOLIDATED\xc2\xa0WITH\xc2\xa0\n                DOTXX070)\xc2\xa0\n\n                                $99,576\xc2\xa0                $4,149,000\xc2\xa0           2.4\xc2\xa0\n            FAAXX700:\xc2\xa0ARC\xc2\xa0\n   Information\xc2\xa0Technology\xc2\xa0\n              Infrastructure\xc2\xa0\n    (CONSOLIDATED\xc2\xa0WITH\xc2\xa0\n                DOTXX070)\xc2\xa0\n\n                                $\xc2\xa01,791,242.40\xc2\xa0\xc2\xa0        $\xc2\xa034,751,000.00\xc2\xa0\xc2\xa0     5.15\xc2\xa0                   4.14%\xc2\xa0                4\xc2\xa0\nFHWA\xc2\xa0                           \xc2\xa0                       \xc2\xa0\n                                $76,982.40\xc2\xa0             $7,776,000\xc2\xa0           .99\xc2\xa0                    \xc2\xa0                     \xc2\xa0\n   FHWAX777:\xc2\xa0Common\xc2\xa0IT\xc2\xa0\xc2\xa0\n  Services\xc2\xa0(CONSOLIDATED\xc2\xa0\n          WITH\xc2\xa0DOTXX070)\xc2\xa0\n\n\n\n\nAppendix A. KPMG LLP Report                                                                                                       Page 21\n\x0c                                                                                                                                            31\n\n\n                                                                                                                      FINAL REPORT\n\n Mode/Investment\xc2\xa0Name\xc2\xa0            IT\xc2\xa0Security\xc2\xa0dollars\xc2\xa0     Total\xc2\xa0Investment\xc2\xa0   %\xc2\xa0IT\xc2\xa0security\xc2\xa0of\xc2\xa0the\xc2\xa0     %\xc2\xa0IT\xc2\xa0Security\xc2\xa0of\xc2\xa0          Total\xc2\xa0#\xc2\xa0of\xc2\xa0\n                                      requested\xc2\xa0                budget\xc2\xa0          total\xc2\xa0investment\xc2\xa0     the\xc2\xa0IT\xc2\xa0Combined\xc2\xa0          representative\xc2\xa0\n                                                                                      request\xc2\xa0            Investment\xc2\xa0             investments\xc2\xa0\n                                 $933,000\xc2\xa0               $933,000\xc2\xa0             100\xc2\xa0                    \xc2\xa0                     \xc2\xa0\n   FHWAX034:\xc2\xa0User\xc2\xa0Profile\xc2\xa0\n and\xc2\xa0Access\xc2\xa0Control\xc2\xa0System\xc2\xa0\n(UPACS)\xc2\xa0(Consolidated\xc2\xa0with\xc2\xa0\n                 DOTXX070)\xc2\xa0\n\n                                 $105,660\xc2\xa0               $3,522,000\xc2\xa0           3\xc2\xa0\n   FHWAX036:\xc2\xa0FHWA\xc2\xa0Web\xc2\xa0\n Development\xc2\xa0and\xc2\xa0Support\xc2\xa0\nServices\xc2\xa0(Consolidated\xc2\xa0with\xc2\xa0\n                 DOTXX070)\xc2\xa0\n\n                                 $675,600\xc2\xa0               $22,520,000\xc2\xa0          3\xc2\xa0\n        FHWAX040:\xc2\xa0FHWA\xc2\xa0IT\xc2\xa0\n   Infrastructure\xc2\xa0Initiatives\xc2\xa0\n          (Consolidated\xc2\xa0with\xc2\xa0\n                 DOTXX070)\xc2\xa0\n\n                                 $47,490.50\xc2\xa0             $3,910,000\xc2\xa0           1.21\xc2\xa0                   .11%\xc2\xa0                 2\xc2\xa0\nPHMSA\xc2\xa0\n\n                                 $11,140.50\xc2\xa0             $3,183,000\xc2\xa0           .35\xc2\xa0                    \xc2\xa0                     \xc2\xa0\n       PHMSA777\xc2\xa0Common\xc2\xa0IT\xc2\xa0\n  Services\xc2\xa0(CONSOLIDATED\xc2\xa0\n           WITH\xc2\xa0DOTXX070)\xc2\xa0\n\n                                 $36,350\xc2\xa0                $727,000\xc2\xa0             5\xc2\xa0                      \xc2\xa0                     \xc2\xa0\n         PHMSA011:\xc2\xa0\xc2\xa0OFFICE\xc2\xa0\n          AUTOMATION\xc2\xa0FOR\xc2\xa0\nADMINISTRATIVE\xc2\xa0SYSTEMS\xc2\xa0\n SUPPORT\xc2\xa0(CONSOLIDATED\xc2\xa0\n           WITH\xc2\xa0DOTXX070)\xc2\xa0\n\n                                 $260,142.20\xc2\xa0            $6,907,000\xc2\xa0           3.77\xc2\xa0                   .6%\xc2\xa0                  2\xc2\xa0\nFMCSA\xc2\xa0\n\n                                 $35,142,20\xc2\xa0             $2,407,000\xc2\xa0           1.46\xc2\xa0                   \xc2\xa0                     \xc2\xa0\n       FMCSA777:\xc2\xa0Common\xc2\xa0IT\xc2\xa0\n  Services\xc2\xa0(CONSOLIDATED\xc2\xa0\n           WITH\xc2\xa0DOTXX070)\xc2\xa0\n\n                                 $225,000\xc2\xa0               $4,500,000\xc2\xa0           5\xc2\xa0                      \xc2\xa0                     \xc2\xa0\n          FMCSA011:\xc2\xa0Field\xc2\xa0IT\xc2\xa0\n               Infrastructure\xc2\xa0\n       (CONSOLIDATED\xc2\xa0WITH\xc2\xa0\n                 DOTXX070)\xc2\xa0\n\n                                 $0.00\xc2\xa0                  $934,000\xc2\xa0             0\xc2\xa0                      0%\xc2\xa0                   1\xc2\xa0\nSTB\xc2\xa0\n\nSTBXX003:\xc2\xa0\xc2\xa0LOCAL\xc2\xa0AREA\xc2\xa0\nNETWORK\xc2\xa0(CONSOLIDATED\xc2\xa0\nWITH\xc2\xa0DOTXX070)\xc2\xa0\n\n                                 $59,721.00\xc2\xa0             $8,622,000\xc2\xa0           .69\xc2\xa0                    .14%\xc2\xa0                 2\xc2\xa0\nMARAD\xc2\xa0\n\n                                 $20,361.00\xc2\xa0             $3,702,000\xc2\xa0           .55\xc2\xa0                    \xc2\xa0                     \xc2\xa0\n       MARAD777\xc2\xa0Common\xc2\xa0IT\xc2\xa0\n  Services\xc2\xa0(CONSOLIDATED\xc2\xa0\n           WITH\xc2\xa0DOTXX070)\xc2\xa0\xc2\xa0\n\n\n\nAppendix A. KPMG LLP Report                                                                                                        Page 22\n\x0c                                                                                                                                             32\n\n\n                                                                                                                       FINAL REPORT\n\n Mode/Investment\xc2\xa0Name\xc2\xa0            IT\xc2\xa0Security\xc2\xa0dollars\xc2\xa0     Total\xc2\xa0Investment\xc2\xa0    %\xc2\xa0IT\xc2\xa0security\xc2\xa0of\xc2\xa0the\xc2\xa0     %\xc2\xa0IT\xc2\xa0Security\xc2\xa0of\xc2\xa0          Total\xc2\xa0#\xc2\xa0of\xc2\xa0\n                                      requested\xc2\xa0                budget\xc2\xa0          total\xc2\xa0investment\xc2\xa0      the\xc2\xa0IT\xc2\xa0Combined\xc2\xa0          representative\xc2\xa0\n                                                                                      request\xc2\xa0             Investment\xc2\xa0             investments\xc2\xa0\n                                 $39,360.00\xc2\xa0             $4,920,000\xc2\xa0           .8\xc2\xa0                      \xc2\xa0                     \xc2\xa0\n       MARAD015:\xc2\xa0Operating\xc2\xa0\n                Environment\xc2\xa0\n       (CONSOLIDATED\xc2\xa0WITH\xc2\xa0\n                  DOTXX070)\xc2\xa0\n\n                                 $1,899.70\xc2\xa0              $157,000.00\xc2\xa0          1.21\xc2\xa0                    .004%\xc2\xa0                1\xc2\xa0\nSLSDC\xc2\xa0\n\n        SLSDC777\xc2\xa0Common\xc2\xa0IT\xc2\xa0\n   Services\xc2\xa0(CONSOLIDATED\xc2\xa0\n            WITH\xc2\xa0DOTXX070)\xc2\xa0\n\n                                 $728,381.20\xc2\xa0            $4,936,000\xc2\xa0           14.76\xc2\xa0                   1.69%\xc2\xa0                3\xc2\xa0\nFRA\xc2\xa0\n\n                                 $28,381.20\xc2\xa0             $4,236,000.00\xc2\xa0        .67\xc2\xa0                     \xc2\xa0                     \xc2\xa0\n       FRAXX777\xc2\xa0Common\xc2\xa0IT\xc2\xa0\n   Services\xc2\xa0(CONSOLIDATED\xc2\xa0\n            WITH\xc2\xa0DOTXX070)\xc2\xa0\n\n                                 $0\xc2\xa0                     $0\xc2\xa0                   0\xc2\xa0                       \xc2\xa0                     \xc2\xa0\n FRAXX022:\xc2\xa0\xc2\xa0Infrastructure\xe2\x80\x90\n                     General\xc2\xa0\n          Hardware/Software\xc2\xa0\n  Support\xc2\xa0(CONSOLIDATED\xc2\xa0\n            WITH\xc2\xa0DOTXX070)\xc2\xa0\n\n                                 $700,000\xc2\xa0               $700,000\xc2\xa0             100\xc2\xa0\n  FRAXX304:\xc2\xa0Infrastructure\xe2\x80\x90\n    Information\xc2\xa0Technology\xc2\xa0\n            Security\xc2\xa0Program\xc2\xa0\n       (CONSOLIDATED\xc2\xa0WITH\xc2\xa0\n                 DOTXXO70)\xc2\xa0\n\n                                 $461,776.80\xc2\xa0            $8,271,000.00\xc2\xa0        5.58\xc2\xa0                    1.07%\xc2\xa0                3\xc2\xa0\nFTA\xc2\xa0\n\n                                 $12,076.80\xc2\xa0             $3,774,000.00\xc2\xa0        .32\xc2\xa0                     \xc2\xa0                     \xc2\xa0\n        FTAXX777\xc2\xa0Common\xc2\xa0IT\xc2\xa0\n Services\xc2\xa0(consolidated\xc2\xa0with\xc2\xa0\n                  DOTXX070)\xc2\xa0\n\n                                 $276,900.00\xc2\xa0            $2,769,000.00\xc2\xa0        10\xc2\xa0                      \xc2\xa0                     \xc2\xa0\n         FTAXX002:\xc2\xa0FTA\xe2\x80\x90COE/\xc2\xa0\nInfrastructure\xc2\xa0(consolidated\xc2\xa0\n        with\xc2\xa0DOTXX070)\xe2\x80\x90\xc2\xa0was\xc2\xa0\n   General\xc2\xa0Support\xc2\xa0System\xc2\xa0\n\n                                 $172,800.00\xc2\xa0            $1,728,000.00\xc2\xa0        10\xc2\xa0\n       FTAXX022:\xc2\xa0FTA\xc2\xa0\xe2\x80\x90\xc2\xa0Voice,\xc2\xa0\n             Data\xc2\xa0&\xc2\xa0Wireless\xc2\xa0\nCommunications\xc2\xa0(breakout\xc2\xa0\nof\xc2\xa0FTAxx002)\xc2\xa0(consolidated\xc2\xa0\n             with\xc2\xa0DOTXX070)\xc2\xa0\n\n\n\n\nAppendix A. KPMG LLP Report                                                                                                         Page 23\n\x0c                                                                                                                                          33\n\n\n                                                                                                                        FINAL REPORT\n\n Mode/Investment\xc2\xa0Name\xc2\xa0             IT\xc2\xa0Security\xc2\xa0dollars\xc2\xa0     Total\xc2\xa0Investment\xc2\xa0   %\xc2\xa0IT\xc2\xa0security\xc2\xa0of\xc2\xa0the\xc2\xa0    %\xc2\xa0IT\xc2\xa0Security\xc2\xa0of\xc2\xa0        Total\xc2\xa0#\xc2\xa0of\xc2\xa0\n                                       requested\xc2\xa0                budget\xc2\xa0          total\xc2\xa0investment\xc2\xa0     the\xc2\xa0IT\xc2\xa0Combined\xc2\xa0      representative\xc2\xa0\n                                                                                       request\xc2\xa0            Investment\xc2\xa0          investments\xc2\xa0\n                                  $355,038.80\xc2\xa0            $12,013,300.00\xc2\xa0       2.96\xc2\xa0                   .82%\xc2\xa0                3\xc2\xa0\nRITA\xc2\xa0\n\n                                  $17,173.00\xc2\xa0             $5,922,000.00\xc2\xa0        .29\xc2\xa0                    \xc2\xa0                    \xc2\xa0\n        RITAX777:\xc2\xa0Common\xc2\xa0IT\xc2\xa0\n Services\xc2\xa0(consolidated\xc2\xa0with\xc2\xa0\n                  DOTXX070)\xc2\xa0\xc2\xa0\n\n                                  $300,865.00\xc2\xa0            $6,017,300.00\xc2\xa0        5\xc2\xa0                      \xc2\xa0                    \xc2\xa0\n        RITAX013:\xc2\xa0\xc2\xa0Volpe\xc2\xa0ADP\xc2\xa0\n         Institutional\xc2\xa0Support\xc2\xa0\n  Services\xc2\xa0Contract\xc2\xa0(AISSC)\xc2\xa0\n        (previously\xc2\xa0RSPAX010;\xc2\xa0\n            consolidated\xc2\xa0with\xc2\xa0\n                  DOTXX070)\xc2\xa0\n\n                                  $37,000.00\xc2\xa0             $74,000.00\xc2\xa0           50\xc2\xa0\n   RITAX016:\xc2\xa0IT\xc2\xa0Support\xc2\xa0for\xc2\xa0\n        Transportation\xc2\xa0Safety\xc2\xa0\nInstitute\xc2\xa0(consolidated\xc2\xa0with\xc2\xa0\n                  DOTXX070)\xc2\xa0\n\n                                  $60,149.80\xc2\xa0             $5,993,000.00\xc2\xa0        1\xc2\xa0                      .14%\xc2\xa0                2\xc2\xa0\nNHTSA\xc2\xa0\n\n                                  $28,549.80\xc2\xa0             $5,598,000\xc2\xa0           .51\xc2\xa0                    \xc2\xa0                    \xc2\xa0\n        NHTSA777\xc2\xa0Common\xc2\xa0IT\xc2\xa0\n Services\xc2\xa0(consolidated\xc2\xa0with\xc2\xa0\n                  DOTXX070)\xc2\xa0\n\n                                  $31,600.00\xc2\xa0             $395,000.00\xc2\xa0          8\xc2\xa0                      \xc2\xa0                    \xc2\xa0\n         NHTSA008:\xc2\xa0\xc2\xa0VEHICLE\xc2\xa0\n         RESEARCH\xc2\xa0AND\xc2\xa0TEST\xc2\xa0\nCENTER\xc2\xa0(VRTC)\xc2\xa0COMPUTER\xc2\xa0\nSYSTEM\xc2\xa0(consolidated\xc2\xa0with\xc2\xa0\n                  DOTXX070)\xc2\xa0\n\n                                  $79,910.00\xc2\xa0             $1,199,000.00\xc2\xa0        6.66\xc2\xa0                   .18%\xc2\xa0                3\xc2\xa0\nOIG\xc2\xa0\n\n        OIGXX777\xc2\xa0Common\xc2\xa0IT\xc2\xa0       $7,910.00\xc2\xa0              $799,000.00\xc2\xa0          .99\xc2\xa0                    \xc2\xa0                    \xc2\xa0\n\n Services\xc2\xa0(consolidated\xc2\xa0with\xc2\xa0\n                  DOTXX070)\xc2\xa0\n OIGXX001:\xc2\xa0\xc2\xa0Transportation\xc2\xa0       $0.00\xc2\xa0                  $0.00\xc2\xa0                0\xc2\xa0                      \xc2\xa0                    \xc2\xa0\n\n            Inspector\xc2\xa0General\xc2\xa0\n             Reporting\xc2\xa0(TIGR)\xc2\xa0\n           (consolidated\xc2\xa0with\xc2\xa0\n                  DOTXX070)\xc2\xa0\n       OIGXX002\xc2\xa0OIG\xc2\xa0General\xc2\xa0      $72,000.00\xc2\xa0             $400,000.00\xc2\xa0          18\xc2\xa0\n   Support/Maintenance\xc2\xa0of\xc2\xa0\n   Network,\xc2\xa0ADP\xc2\xa0Hardware\xc2\xa0\nand\xc2\xa0Software\xc2\xa0(consolidated\xc2\xa0\n             with\xc2\xa0DOTXXO70)\xc2\xa0\n\n        GRAND\xc2\xa0TOTALS\xc2\xa0\n                                     $43,220,037.70\xc2\xa0        $202,332,300.00\xc2\xa0            21.36%\xc2\xa0                 100%\xc2\xa0               43\xc2\xa0\n\nAppendix A. KPMG LLP Report                                                                                                       Page 24\n\x0c                                                                                                      34\n\n                                                                                         FINAL REPORT\n\nOf the $43,220,037.70 in security costs for the IT Combined Infrastructure investment, the common IT\nservices represent $2,146,449.60 or approximately 5%. The remaining $41,073,588.10 represents the\nremainder of the investment.\n\nBecause DOT has not provided guidance on estimating IT security costs, the security estimates are being\nself-reported by the OAs and do not follow any consistent, predictable methodology from which future\nprojections can be based by OST. In addition, there is no accountability over the reasonableness of the\nestimates provided by the OAs that represent the investments that are not related to the common operating\nenvironment. Finally, the security costs for the common IT services do not follow a consistent\nmethodology that provides a reasonable estimate of future security costs based on the services rendered as\nthe subordinate investments are migrated to the common operating environment. This weakness is noted\nin the Findings and Recommendations section this report.\n\n\n\n\nAppendix A. KPMG LLP Report                                                                     Page 25\n\x0c                                                                                                                                           35\n\n\n                                                                                                                         FINAL REPORT\n\n\nIV.          FINDINGS and RECOMMENDATIONS\n\nWe conducted procedures related to the Earned Value Management (EVM) and security cost estimating\npolicies, procedures and controls in place over certain Department of Transportation (DOT) Operating\nAdministration\xe2\x80\x99s (OAs) and major IT investments and have reported our overall findings and\nrecommendations within this report. We performed this performance audit at the Department\xe2\x80\x99s\nheadquarters and at the Federal Aviation Administration (FAA) locations in Washington D.C. This\nperformance audit consisted of reviewing applicable policies and procedures, which included\ninterviewing key personnel and reviewing key reports.\n\nThe DOT has established an EVM policy that contains pre-established dollar thresholds and guidance for\nIT investment owners to consider when implementing EVM. In addition, various modes have improved\ntheir use of EVMS by establishing supporting materials, such as IT project management and EVM\nimplementation guidance, providing EVM training and conducting EVM lessons learned. While these\nitems help provide a foundation of EVM guidance for modes to follow and investments to use, there are\nopportunities for improvement to further implement and use EVM to help manage major IT investments.\nIn addition, we identified weaknesses in the security cost estimating process across the modes. Our 2008\nperformance audit communicates three recommendations related to controls over the reliability of EVMS\ndata, the reasonableness of security cost estimates, and the controls over the implementation and\ncompleteness of EVMS. The three findings are further described in the table below. Each finding\ncontains a description of the condition(s) or weaknesses/observations, the cause and effect, the criteria\nused to support the noted weaknesses/observations, and the recommendation(s).\n\n\n                                                                     2008 Notice of Findings and Recommendations\n                 2008\xe2\x80\x901:\xc2\xa0Controls\xc2\xa0Over\xc2\xa0the\xc2\xa0Reliability\xc2\xa0     2008\xe2\x80\x902:\xc2\xa0Controls\xc2\xa0Over\xc2\xa0the\xc2\xa0               2008\xe2\x80\x903:\xc2\xa0Controls\xc2\xa0Over\xc2\xa0the\xc2\xa0\n                 of\xc2\xa0EVMS\xc2\xa0Data\xc2\xa0Should\xc2\xa0Be\xc2\xa0                    Reasonableness\xc2\xa0of\xc2\xa0Security\xc2\xa0Cost\xc2\xa0         Implementation\xc2\xa0and\xc2\xa0Use\xc2\xa0of\xc2\xa0EVMS\xc2\xa0In\xc2\xa0\n                 Strengthened\xc2\xa0                              Estimates\xc2\xa0and\xc2\xa0Reporting\xc2\xa0Should\xc2\xa0Be\xc2\xa0       Project\xc2\xa0Oversight\xc2\xa0Should\xc2\xa0Be\xc2\xa0\n                                                            Strengthened\xc2\xa0                            Strengthened\xc2\xa0\n\nCondition\xc2\xa0       \xc2\xa0During\xc2\xa0our\xc2\xa0review\xc2\xa0of\xc2\xa0the\xc2\xa0EVMS\xc2\xa0used\xc2\xa0       During\xc2\xa0our\xc2\xa0review\xc2\xa0of\xc2\xa0the\xc2\xa0security\xc2\xa0       During\xc2\xa0our\xc2\xa0review\xc2\xa0of\xc2\xa0the\xc2\xa0implementation\xc2\xa0\n                 at\xc2\xa0the\xc2\xa0Department\xc2\xa0of\xc2\xa0Transportation\xc2\xa0       cost\xc2\xa0reporting\xc2\xa0practices\xc2\xa0performed\xc2\xa0      and\xc2\xa0completeness\xc2\xa0of\xc2\xa0EVMS\xc2\xa0practices\xc2\xa0\n                 (DOT),\xc2\xa0we\xc2\xa0identified\xc2\xa0the\xc2\xa0following\xc2\xa0        at\xc2\xa0the\xc2\xa0Department\xc2\xa0of\xc2\xa0                    performed\xc2\xa0at\xc2\xa0the\xc2\xa0Department\xc2\xa0of\xc2\xa0\n                 exceptions\xc2\xa0related\xc2\xa0to\xc2\xa0the\xc2\xa0reliability\xc2\xa0     Transportation\xc2\xa0(DOT),\xc2\xa0we\xc2\xa0identified\xc2\xa0     Transportation\xc2\xa0(DOT)\xc2\xa0we\xc2\xa0identified\xc2\xa0the\xc2\xa0\n                 of\xc2\xa0EVMS\xc2\xa0data:\xc2\xa0                             the\xc2\xa0following\xc2\xa0exceptions:\xc2\xa0               following\xc2\xa0exceptions:\xc2\xa0\n                 \xc2\xa0                                          \xc2\xa0           \xc2\xa0                            \xc2\xa0\n                 A. Controls\xc2\xa0to\xc2\xa0prevent\xc2\xa0                    A. There\xc2\xa0are\xc2\xa0no\xc2\xa0DOT\xc2\xa0specific\xc2\xa0            A. The\xc2\xa0Department\xc2\xa0of\xc2\xa0Transportation\xc2\xa0\n                       unauthorized\xc2\xa0changes\xc2\xa0to\xc2\xa0the\xc2\xa0               policies\xc2\xa0or\xc2\xa0procedures\xc2\xa0for\xc2\xa0              (DOT)\xc2\xa0Earned\xc2\xa0Value\xc2\xa0Management\xc2\xa0\n                       spreadsheets\xc2\xa0(i.e.,\xc2\xa0key\xc2\xa0cells\xc2\xa0and\xc2\xa0         estimating,\xc2\xa0tracking\xc2\xa0and\xc2\xa0                policy:\xc2\xa0\n                       spreadsheets\xc2\xa0used\xc2\xa0to\xc2\xa0calculate\xc2\xa0            reporting\xc2\xa0security\xc2\xa0costs.\xc2\xa0\xc2\xa0This\xc2\xa0         a.    The\xc2\xa0EVM\xc2\xa0Implementation\xc2\xa0\n                       EVM)\xc2\xa0have\xc2\xa0not\xc2\xa0been\xc2\xa0identified.\xc2\xa0            includes:\xc2\xa0                                     Guidance\xc2\xa0referenced\xc2\xa0\n                 \xc2\xa0                                                a.    Provisions\xc2\xa0for\xc2\xa0                          throughout\xc2\xa0the\xc2\xa0DOT\xc2\xa0EVM\xc2\xa0\n                 B. OST\xc2\xa0has\xc2\xa0not\xc2\xa0promoted\xc2\xa0nor\xc2\xa0                           distributing\xc2\xa0resources\xc2\xa0                  policy\xc2\xa0has\xc2\xa0not\xc2\xa0yet\xc2\xa0been\xc2\xa0created\xc2\xa0\n                       provided\xc2\xa0standards\xc2\xa0for\xc2\xa0                          based\xc2\xa0on\xc2\xa0assessed\xc2\xa0risks\xc2\xa0                 nor\xc2\xa0promulgated;\xc2\xa0\n                       estimating\xc2\xa0project\xc2\xa0                        b. Provisions\xc2\xa0for\xc2\xa0using\xc2\xa0risk\xc2\xa0            b. Does\xc2\xa0not\xc2\xa0accurately\xc2\xa0recognize\xc2\xa0\n                       requirements\xc2\xa0for\xc2\xa0IT\xc2\xa0projects.\xc2\xa0                   analysis,\xc2\xa0earned\xc2\xa0value\xc2\xa0                  FAA\xc2\xa0applicability\xc2\xa0even\xc2\xa0through\xc2\xa0\n                       This\xc2\xa0includes\xc2\xa0considerations\xc2\xa0                    and\xc2\xa0return\xc2\xa0on\xc2\xa0                           FAA\xe2\x80\x99s\xc2\xa0requirements\xc2\xa0for\xc2\xa0\n                       for:\xc2\xa0                                            investment\xc2\xa0to\xc2\xa0                           implementing\xc2\xa0and\xc2\xa0using\xc2\xa0EVM\xc2\xa0\n                       \xe2\x80\xa2\xc2\xa0Estimating\xc2\xa0resource\xc2\xa0                           determine\xc2\xa0which\xc2\xa0                         are\xc2\xa0more\xc2\xa0stringent\xc2\xa0and\xc2\xa0are\xc2\xa0\n                       requirements\xc2\xa0for\xc2\xa0project\xc2\xa0work\xc2\xa0                   security\xc2\xa0controls\xc2\xa0should\xc2\xa0                accompanied\xc2\xa0by\xc2\xa0EVM\xc2\xa0\n                       elements\xc2\xa0                                        be\xc2\xa0funded\xc2\xa0and\xc2\xa0                           Implementation\xc2\xa0guidance;\xc2\xa0and\xc2\xa0\n                       \xe2\x80\xa2\xc2\xa0Assigning\xc2\xa0\xc2\xa0management\xc2\xa0                         implemented\xc2\xa0                       c.    Does\xc2\xa0not\xc2\xa0contain\xc2\xa0provisions\xc2\xa0for\xc2\xa0\xc2\xa0\n\n\nAppendix A. KPMG LLP Report                                                                                                        Page 26\n\x0c                                                                                                                                        36\n\n\n                                                                                                                   FINAL REPORT\n\n          2008\xe2\x80\x901:\xc2\xa0Controls\xc2\xa0Over\xc2\xa0the\xc2\xa0Reliability\xc2\xa0   2008\xe2\x80\x902:\xc2\xa0Controls\xc2\xa0Over\xc2\xa0the\xc2\xa0                  2008\xe2\x80\x903:\xc2\xa0Controls\xc2\xa0Over\xc2\xa0the\xc2\xa0\n          of\xc2\xa0EVMS\xc2\xa0Data\xc2\xa0Should\xc2\xa0Be\xc2\xa0                  Reasonableness\xc2\xa0of\xc2\xa0Security\xc2\xa0Cost\xc2\xa0            Implementation\xc2\xa0and\xc2\xa0Use\xc2\xa0of\xc2\xa0EVMS\xc2\xa0In\xc2\xa0\n          Strengthened\xc2\xa0                            Estimates\xc2\xa0and\xc2\xa0Reporting\xc2\xa0Should\xc2\xa0Be\xc2\xa0          Project\xc2\xa0Oversight\xc2\xa0Should\xc2\xa0Be\xc2\xa0\n                                                   Strengthened\xc2\xa0                               Strengthened\xc2\xa0\n\n\xc2\xa0\xc2\xa0             resource/using\xc2\xa0an\xc2\xa0                           c.   Provisions\xc2\xa0for\xc2\xa0linking\xc2\xa0                 Training,\xc2\xa0Integration\xc2\xa0with\xc2\xa0\n               Organizational\xc2\xa0Breakdown\xc2\xa0                         information\xc2\xa0security\xc2\xa0                   Portfolio\xc2\xa0Management,\xc2\xa0the\xc2\xa0use\xc2\xa0\n               Structure\xc2\xa0(OBS)\xc2\xa0and\xc2\xa0                              expenditures\xc2\xa0to\xc2\xa0the\xc2\xa0                    of\xc2\xa0templates\xc2\xa0and\xc2\xa0tools.\xc2\xa0\n               Responsibility\xc2\xa0Assignment\xc2\xa0                        strategy\xc2\xa0and\xc2\xa0mission\xc2\xa0of\xc2\xa0      \xc2\xa0\n               Matrices\xc2\xa0(RAM)\xc2\xa0for\xc2\xa0control\xc2\xa0                       the\xc2\xa0program\xc2\xa0                  B.   There\xc2\xa0is\xc2\xa0no\xc2\xa0consistent\xc2\xa0enterprise\xc2\xa0\n               accounts\xc2\xa0and\xc2\xa0work\xc2\xa0elements\xc2\xa0                  d.   Provisions\xc2\xa0for\xc2\xa0linking\xc2\xa0the\xc2\xa0        approach\xc2\xa0to\xc2\xa0managing\xc2\xa0and\xc2\xa0applying\xc2\xa0\n               \xe2\x80\xa2\xc2\xa0Estimating\xc2\xa0project\xc2\xa0activity\xc2\xa0                    security\xc2\xa0costs\xc2\xa0to\xc2\xa0OMB\xc2\xa0A\xe2\x80\x90           EVM\xc2\xa0data\xc2\xa0across\xc2\xa0modes.\xc2\xa0\n               duration\xc2\xa0and\xc2\xa0sequencing\xc2\xa0                          11\xc2\xa0categories\xc2\xa0                C.   OST\xc2\xa0has\xc2\xa0not\xc2\xa0promoted\xc2\xa0nor\xc2\xa0provided\xc2\xa0\n               \xe2\x80\xa2\xc2\xa0Establishing\xc2\xa0EVM\xc2\xa0credit\xc2\xa0                   e.   Provisions\xc2\xa0for\xc2\xa0                    standards\xc2\xa0for\xc2\xa0applying\xc2\xa0EVM\xc2\xa0in\xc2\xa0IT\xc2\xa0\n               techniques,\xc2\xa0EVM\xc2\xa0performance\xc2\xa0                      developing\xc2\xa0a\xc2\xa0                      projects.\xc2\xa0\xc2\xa0This\xc2\xa0includes\xc2\xa0\n               analysis\xc2\xa0and\xc2\xa0reporting\xc2\xa0                           performance\xc2\xa0plan\xc2\xa0that\xc2\xa0             considerations\xc2\xa0for:\xc2\xa0\n               requirements\xc2\xa0including\xc2\xa0specific\xc2\xa0                  addresses\xc2\xa0security\xc2\xa0                a.    Articulating\xc2\xa0and\xc2\xa0capturing\xc2\xa0\n               requirements\xc2\xa0for\xc2\xa0EVMS\xc2\xa0                            resources\xc2\xa0including\xc2\xa0                     project\xc2\xa0scope\xc2\xa0and\xc2\xa0work\xc2\xa0\n               certification\xc2\xa0and\xc2\xa0surveillance\xc2\xa0                   budget,\xc2\xa0staffing\xc2\xa0and\xc2\xa0                    assignments\xc2\xa0through\xc2\xa0\n               procedure.\xc2\xa0                                       training\xc2\xa0                                integrated\xc2\xa0baseline\xc2\xa0reviews\xc2\xa0\n               \xc2\xa0                                   \xc2\xa0                                                b.    Decomposing\xc2\xa0work\xc2\xa0using\xc2\xa0a\xc2\xa0\n                                                       B.   Security\xc2\xa0estimates\xc2\xa0for\xc2\xa0the\xc2\xa0IT\xc2\xa0                standard\xc2\xa0work\xc2\xa0breakdown\xc2\xa0\n                                                            Combined\xc2\xa0Infrastructure\xc2\xa0are\xc2\xa0                  structures\xc2\xa0(WBS)\xc2\xa0for\xc2\xa0IT\xc2\xa0\n                                                            self\xe2\x80\x90reported\xc2\xa0by\xc2\xa0the\xc2\xa0OAs\xc2\xa0and\xc2\xa0                 development\xc2\xa0projects\xc2\xa0(e.g.,\xc2\xa0\n                                                            do\xc2\xa0not\xc2\xa0follow\xc2\xa0any\xc2\xa0consistent,\xc2\xa0                following\xc2\xa0a\xc2\xa0standardized\xc2\xa0\n                                                            predictable\xc2\xa0methodology\xc2\xa0                      software\xc2\xa0development\xc2\xa0lifecycle\xc2\xa0\n                                                            from\xc2\xa0which\xc2\xa0future\xc2\xa0                            or\xc2\xa0SDLC)\xc2\xa0\n                                                            projections\xc2\xa0can\xc2\xa0be\xc2\xa0based\xc2\xa0by\xc2\xa0            c.    Managing\xc2\xa0concurrent\xc2\xa0efforts\xc2\xa0\n                                                            OST.\xc2\xa0\xc2\xa0In\xc2\xa0addition,\xc2\xa0there\xc2\xa0is\xc2\xa0no\xc2\xa0               through\xc2\xa0an\xc2\xa0Integrated\xc2\xa0Master\xc2\xa0\n                                                            accountability\xc2\xa0over\xc2\xa0the\xc2\xa0                      Schedule\xc2\xa0(IMS)\xc2\xa0\n                                                            reasonableness\xc2\xa0of\xc2\xa0the\xc2\xa0                  d.    EVM\xc2\xa0rebaselining\xc2\xa0guidelines\xc2\xa0\n                                                            estimates\xc2\xa0provided\xc2\xa0by\xc2\xa0the\xc2\xa0                    and\xc2\xa0documentation\xc2\xa0retention\xc2\xa0\n                                                            OAs.\xc2\xa0\xc2\xa0Lastly,\xc2\xa0the\xc2\xa0estimates\xc2\xa0                  requirements\xc2\xa0\n                                                            for\xc2\xa0the\xc2\xa0common\xc2\xa0IT\xc2\xa0services\xc2\xa0             e.    Conducting\xc2\xa0EVM\xc2\xa0training\xc2\xa0and\xc2\xa0\n                                                            also\xc2\xa0do\xc2\xa0not\xc2\xa0follow\xc2\xa0a\xc2\xa0                         lessons\xc2\xa0learned\xc2\xa0\n                                                            consistent\xc2\xa0methodology\xc2\xa0that\xc2\xa0       D.   There\xc2\xa0are\xc2\xa0inconsistent\xc2\xa0EVMS\xc2\xa0\n                                                            provides\xc2\xa0a\xc2\xa0reasonable\xc2\xa0                  practices\xc2\xa0being\xc2\xa0followed\xc2\xa0across\xc2\xa0\n                                                            estimate\xc2\xa0of\xc2\xa0the\xc2\xa0future\xc2\xa0                 modes\xc2\xa0and\xc2\xa0investments.\xc2\xa0\xc2\xa0Specifically,\xc2\xa0\n                                                            security\xc2\xa0costs\xc2\xa0based\xc2\xa0on\xc2\xa0the\xc2\xa0            a.    Standard\xc2\xa0contract\xc2\xa0language\xc2\xa0for\xc2\xa0\n                                                            services\xc2\xa0rendered\xc2\xa0as\xc2\xa0the\xc2\xa0                     EVMS\xc2\xa0is\xc2\xa0not\xc2\xa0being\xc2\xa0used\xc2\xa0for\xc2\xa0\n                                                            subordinate\xc2\xa0investments\xc2\xa0are\xc2\xa0                  PHMSA\xc2\xa0and\xc2\xa0NHTSA\xc2\xa0modes\xc2\xa0and\xc2\xa0\n                                                            migrated\xc2\xa0to\xc2\xa0the\xc2\xa0common\xc2\xa0                       the\xc2\xa0ASOS/AWOS,\xc2\xa0ATOP,\xc2\xa0SMART\xc2\xa0\n                                                            operating\xc2\xa0environment.\xc2\xa0                       and\xc2\xa0FMCSA\xc2\xa0Modernization\xc2\xa0\n                                                                                                          investments.\xc2\xa0\n                                                                                                    b.    Certain\xc2\xa0modes\xc2\xa0and\xc2\xa0investments\xc2\xa0\n                                                                                                          have\xc2\xa0not\xc2\xa0performed\xc2\xa0EVMS\xc2\xa0\n                                                                                                          certification\xc2\xa0over\xc2\xa0their\xc2\xa0EVMS\xc2\xa0\n                                                                                                          operated\xc2\xa0by\xc2\xa0contractors.\xc2\xa0\n                                                                                                          Specifically\xc2\xa0the\xc2\xa0OST,\xc2\xa0NHTSA,\xc2\xa0\n                                                                                                          FMCSA,\xc2\xa0and\xc2\xa0PHMSA\xc2\xa0modes\xc2\xa0and\xc2\xa0\n                                                                                                          the\xc2\xa0TAMR,\xc2\xa0ASOS/AWOS,\xc2\xa0\xc2\xa0\n\n\n\n\nAppendix A. KPMG LLP Report                                                                                                     Page 27\n\x0c                                                                                                                               37\n\n\n                                                                                                            FINAL REPORT\n\n          2008\xe2\x80\x901:\xc2\xa0Controls\xc2\xa0Over\xc2\xa0the\xc2\xa0Reliability\xc2\xa0   2008\xe2\x80\x902:\xc2\xa0Controls\xc2\xa0Over\xc2\xa0the\xc2\xa0           2008\xe2\x80\x903:\xc2\xa0Controls\xc2\xa0Over\xc2\xa0the\xc2\xa0\n          of\xc2\xa0EVMS\xc2\xa0Data\xc2\xa0Should\xc2\xa0Be\xc2\xa0                  Reasonableness\xc2\xa0of\xc2\xa0Security\xc2\xa0Cost\xc2\xa0     Implementation\xc2\xa0and\xc2\xa0Use\xc2\xa0of\xc2\xa0EVMS\xc2\xa0In\xc2\xa0\n          Strengthened\xc2\xa0                            Estimates\xc2\xa0and\xc2\xa0Reporting\xc2\xa0Should\xc2\xa0Be\xc2\xa0   Project\xc2\xa0Oversight\xc2\xa0Should\xc2\xa0Be\xc2\xa0\n                                                   Strengthened\xc2\xa0                        Strengthened\xc2\xa0\n\n\xc2\xa0\xc2\xa0             \xc2\xa0\xc2\xa0                                  \xc2\xa0\xc2\xa0                                             SMART\xc2\xa0and\xc2\xa0FMCSA\xc2\xa0\xc2\xa0\n                                                                                                  Modernization\xc2\xa0investments.\xc2\xa0\n                                                                                             c.   Inconsistent\xc2\xa0contractor\xc2\xa0\n                                                                                                  surveillance\xc2\xa0of\xc2\xa0EVMS\xc2\xa0practices\xc2\xa0\n                                                                                                  for\xc2\xa0OST,\xc2\xa0NHTSA,\xc2\xa0FMCSA,\xc2\xa0\n                                                                                                  PHMSA\xc2\xa0modes\xc2\xa0and\xc2\xa0ATOP,\xc2\xa0TFM,\xc2\xa0\n                                                                                                  SMART\xc2\xa0and\xc2\xa0FMCSA\xc2\xa0\n                                                                                                  Modernization\xc2\xa0investments.\xc2\xa0\n                                                                                             d.   Standard\xc2\xa0WBS\xc2\xa0for\xc2\xa0development\xc2\xa0\n                                                                                                  activities\xc2\xa0are\xc2\xa0not\xc2\xa0consistently\xc2\xa0\n                                                                                                  used\xc2\xa0by\xc2\xa0PHMSA\xc2\xa0or\xc2\xa0the\xc2\xa0SMART\xc2\xa0\n                                                                                                  investment.\xc2\xa0\n                                                                                             e.   EVMS\xc2\xa0reporting\xc2\xa0frequency\xc2\xa0\n                                                                                                  performed\xc2\xa0quarterly\xc2\xa0for\xc2\xa0\n                                                                                                  NHTSA.\xc2\xa0\n\n\n\n\nAppendix A. KPMG LLP Report                                                                                           Page 28\n\x0c                                                                                                                                     38\n\n\n                                                                                                                  FINAL REPORT\n\n          2008\xe2\x80\x901:\xc2\xa0Controls\xc2\xa0Over\xc2\xa0the\xc2\xa0Reliability\xc2\xa0    2008\xe2\x80\x902:\xc2\xa0Controls\xc2\xa0Over\xc2\xa0the\xc2\xa0              2008\xe2\x80\x903:\xc2\xa0Controls\xc2\xa0Over\xc2\xa0the\xc2\xa0\n          of\xc2\xa0EVMS\xc2\xa0Data\xc2\xa0Should\xc2\xa0Be\xc2\xa0                   Reasonableness\xc2\xa0of\xc2\xa0Security\xc2\xa0Cost\xc2\xa0        Implementation\xc2\xa0and\xc2\xa0Use\xc2\xa0of\xc2\xa0EVMS\xc2\xa0In\xc2\xa0\n          Strengthened\xc2\xa0                             Estimates\xc2\xa0and\xc2\xa0Reporting\xc2\xa0Should\xc2\xa0         Project\xc2\xa0Oversight\xc2\xa0Should\xc2\xa0Be\xc2\xa0\n                                                    Be\xc2\xa0Strengthened\xc2\xa0                        Strengthened\xc2\xa0\n\nCause\xc2\xa0    A.   EVM\xc2\xa0certification\xc2\xa0and\xc2\xa0               A,\xc2\xa0B.\xc2\xa0OST,\xc2\xa0who\xc2\xa0has\xc2\xa0responsibility\xc2\xa0      A.   OST,\xc2\xa0who\xc2\xa0has\xc2\xa0responsibility\xc2\xa0for\xc2\xa0\n               surveillance\xc2\xa0activities\xc2\xa0generally\xc2\xa0   for\xc2\xa0coordinating\xc2\xa0and\xc2\xa0promulgating\xc2\xa0           coordinating\xc2\xa0and\xc2\xa0promulgating\xc2\xa0EVM\xc2\xa0\n               do\xc2\xa0not\xc2\xa0include\xc2\xa0specific\xc2\xa0             security\xc2\xa0cost\xc2\xa0estimating,\xc2\xa0tracking\xc2\xa0          requirements,\xc2\xa0has\xc2\xa0not\xc2\xa0had\xc2\xa0adequate\xc2\xa0\n               considerations\xc2\xa0for\xc2\xa0protecting\xc2\xa0       and\xc2\xa0reporting\xc2\xa0requirements,\xc2\xa0has\xc2\xa0             resources\xc2\xa0dedicated\xc2\xa0to\xc2\xa0creating\xc2\xa0and\xc2\xa0\n               EVM\xc2\xa0data\xc2\xa0and\xc2\xa0tools\xc2\xa0from\xc2\xa0             not\xc2\xa0had\xc2\xa0adequate\xc2\xa0resources\xc2\xa0                  promulgating\xc2\xa0EVM\xc2\xa0requirements.\xc2\xa0\n               unauthorized\xc2\xa0access\xc2\xa0or\xc2\xa0changes\xc2\xa0      dedicated\xc2\xa0to\xc2\xa0creating\xc2\xa0and\xc2\xa0              B.   There\xc2\xa0are\xc2\xa0no\xc2\xa0DOT\xc2\xa0requirements\xc2\xa0to\xc2\xa0\n               or\xc2\xa0for\xc2\xa0monitoring\xc2\xa0the\xc2\xa0accuracy\xc2\xa0      promulgating\xc2\xa0these\xc2\xa0requirements.\xc2\xa0            apply\xc2\xa0an\xc2\xa0enterprise\xc2\xa0approach\xc2\xa0to\xc2\xa0EVM\xc2\xa0\n               and\xc2\xa0completeness\xc2\xa0of\xc2\xa0EVM\xc2\xa0data\xc2\xa0                                                     for\xc2\xa0projects.\xc2\xa0\n               being\xc2\xa0collected\xc2\xa0and\xc2\xa0reported\xc2\xa0in\xc2\xa0                                             C.   OST,\xc2\xa0who\xc2\xa0has\xc2\xa0responsibility\xc2\xa0for\xc2\xa0\n               EVM\xc2\xa0policy\xc2\xa0or\xc2\xa0in\xc2\xa0contractor\xc2\xa0                                                      coordinating\xc2\xa0and\xc2\xa0promulgating\xc2\xa0EVM\xc2\xa0\n               statements\xc2\xa0of\xc2\xa0work\xc2\xa0(SOW).\xc2\xa0                                                        requirements,\xc2\xa0has\xc2\xa0not\xc2\xa0had\xc2\xa0adequate\xc2\xa0\n          B.   OST,\xc2\xa0who\xc2\xa0has\xc2\xa0responsibility\xc2\xa0for\xc2\xa0                                                  resources\xc2\xa0dedicated\xc2\xa0to\xc2\xa0creating\xc2\xa0and\xc2\xa0\n               coordinating\xc2\xa0and\xc2\xa0promulgating\xc2\xa0                                                    promulgating\xc2\xa0EVM\xc2\xa0requirements.\xc2\xa0\n               EVM\xc2\xa0requirements,\xc2\xa0has\xc2\xa0not\xc2\xa0had\xc2\xa0                                               D.   OST,\xc2\xa0who\xc2\xa0has\xc2\xa0responsibility\xc2\xa0for\xc2\xa0\n               adequate\xc2\xa0resources\xc2\xa0dedicated\xc2\xa0                                                     coordinating\xc2\xa0and\xc2\xa0promulgating\xc2\xa0EVM\xc2\xa0\n               to\xc2\xa0creating\xc2\xa0and\xc2\xa0promulgating\xc2\xa0                                                     requirements,\xc2\xa0has\xc2\xa0not\xc2\xa0had\xc2\xa0adequate\xc2\xa0\n               EVM\xc2\xa0requirements.\xc2\xa0                                                                resources\xc2\xa0dedicated\xc2\xa0to\xc2\xa0creating\xc2\xa0and\xc2\xa0\n          \xc2\xa0                                                                                      promulgating\xc2\xa0EVM\xc2\xa0requirements.\xc2\xa0\n          \xc2\xa0                                                                                 \xc2\xa0\nEffect\xc2\xa0   A.   Without\xc2\xa0adequate\xc2\xa0controls\xc2\xa0           A,\xc2\xa0B.\xc2\xa0Without\xc2\xa0completed\xc2\xa0provisions\xc2\xa0     A.   Without\xc2\xa0completed\xc2\xa0policies,\xc2\xa0certain\xc2\xa0\n               over\xc2\xa0the\xc2\xa0tools\xc2\xa0being\xc2\xa0used,\xc2\xa0EVM\xc2\xa0      for\xc2\xa0estimating,\xc2\xa0analyzing,\xc2\xa0and\xc2\xa0              provisions\xc2\xa0for\xc2\xa0using\xc2\xa0and\xc2\xa0managing\xc2\xa0\n               data\xc2\xa0being\xc2\xa0calculated\xc2\xa0or\xc2\xa0            reporting\xc2\xa0security\xc2\xa0costs,\xc2\xa0modes\xc2\xa0are\xc2\xa0         projects\xc2\xa0using\xc2\xa0EVM\xc2\xa0may\xc2\xa0be\xc2\xa0\n               reported\xc2\xa0can\xc2\xa0be\xc2\xa0altered,\xc2\xa0            left\xc2\xa0to\xc2\xa0estimate\xc2\xa0costs\xc2\xa0using\xc2\xa0self\xe2\x80\x90           incomplete\xc2\xa0and\xc2\xa0inconsistently\xc2\xa0\n               intentionally\xc2\xa0or\xc2\xa0unintentionally,\xc2\xa0   approved\xc2\xa0techniques.\xc2\xa0\xc2\xa0This\xc2\xa0may\xc2\xa0              applied\xc2\xa0for\xc2\xa0EVM\xc2\xa0benefits\xc2\xa0to\xc2\xa0be\xc2\xa0\n               making\xc2\xa0EVM\xc2\xa0data\xc2\xa0accuracy\xc2\xa0and\xc2\xa0        result\xc2\xa0in\xc2\xa0security\xc2\xa0cost\xc2\xa0estimates\xc2\xa0           obtained.\xc2\xa0\n               reliability\xc2\xa0questionable.\xc2\xa0           that\xc2\xa0are\xc2\xa0inefficient,\xc2\xa0unnecessary\xc2\xa0or\xc2\xa0   B.   DOT\xc2\xa0may\xc2\xa0not\xc2\xa0be\xc2\xa0recognizing\xc2\xa0the\xc2\xa0\n          B.   Without\xc2\xa0completed\xc2\xa0policies,\xc2\xa0         redundant\xc2\xa0and\xc2\xa0inconsistent\xc2\xa0across\xc2\xa0           benefits\xc2\xa0of\xc2\xa0consistent\xc2\xa0and\xc2\xa0reliable\xc2\xa0\n               certain\xc2\xa0provisions\xc2\xa0may\xc2\xa0be\xc2\xa0           modes.\xc2\xa0                                      information\xc2\xa0by\xc2\xa0leveraging\xc2\xa0an\xc2\xa0\n               inconsistently\xc2\xa0applied.\xc2\xa0             \xc2\xa0                                            enterprise\xc2\xa0approach\xc2\xa0to\xc2\xa0\n          \xc2\xa0                                                                                      implementing\xc2\xa0EVM\xc2\xa0in\xc2\xa0projects.\xc2\xa0\n                                                                                            C.   Without\xc2\xa0completed\xc2\xa0policies,\xc2\xa0certain\xc2\xa0\n                                                                                                 provisions\xc2\xa0may\xc2\xa0be\xc2\xa0inconsistently\xc2\xa0\n                                                                                                 applied.\xc2\xa0\n                                                                                            D.   Without\xc2\xa0completed\xc2\xa0provisions\xc2\xa0for\xc2\xa0\n                                                                                                 EVMS\xc2\xa0standardization\xc2\xa0and\xc2\xa0\n                                                                                                 implementation,\xc2\xa0EVMS\xc2\xa0may\xc2\xa0be\xc2\xa0\n                                                                                                 inconsistently\xc2\xa0applied\xc2\xa0across\xc2\xa0projects\xc2\xa0\n                                                                                                 requiring\xc2\xa0its\xc2\xa0use.\xc2\xa0\n                                                                                            \xc2\xa0\n\n\n\n\nAppendix A. KPMG LLP Report                                                                                                Page 29\n\x0c                                                                                                                                                          39\n\n\n                                                                                                                                   FINAL REPORT\n\n            2008\xe2\x80\x901:\xc2\xa0Controls\xc2\xa0Over\xc2\xa0the\xc2\xa0Reliability\xc2\xa0            2008\xe2\x80\x902:\xc2\xa0Controls\xc2\xa0Over\xc2\xa0the\xc2\xa0                        2008\xe2\x80\x903:\xc2\xa0Controls\xc2\xa0Over\xc2\xa0the\xc2\xa0\n            of\xc2\xa0EVMS\xc2\xa0Data\xc2\xa0Should\xc2\xa0Be\xc2\xa0                           Reasonableness\xc2\xa0of\xc2\xa0Security\xc2\xa0Cost\xc2\xa0                  Implementation\xc2\xa0and\xc2\xa0Use\xc2\xa0of\xc2\xa0EVMS\xc2\xa0In\xc2\xa0\n            Strengthened\xc2\xa0                                     Estimates\xc2\xa0and\xc2\xa0Reporting\xc2\xa0Should\xc2\xa0                   Project\xc2\xa0Oversight\xc2\xa0Should\xc2\xa0Be\xc2\xa0\n                                                              Be\xc2\xa0Strengthened\xc2\xa0                                  Strengthened\xc2\xa0\n\nCriteria\xc2\xa0   A.\xc2\xa0 \xc2\xa0 \xc2\xa0 \xc2\xa0 \xc2\xa0 CIO\xc2\xa0 Council\xc2\xa0 A\xc2\xa0 Framework\xc2\xa0 for\xc2\xa0      A,\xc2\xa0B.\xc2\xa0OMB\xc2\xa0Circular\xc2\xa0A\xe2\x80\x9011,\xc2\xa0Exhibit\xc2\xa053:\xc2\xa0             A.   OMB\xc2\xa0memo\xc2\xa0M\xe2\x80\x9005\xe2\x80\x9023\xc2\xa0Improving\xc2\xa0\n                     Developing\xc2\xa0 Earned\xc2\xa0 Value\xc2\xa0               "Federal\xc2\xa0 agencies\xc2\xa0 must\xc2\xa0 consider\xc2\xa0                    Information\xc2\xa0Technology\xc2\xa0(IT)\xc2\xa0Project\xc2\xa0\n                     Management\xc2\xa0                   Systems\xc2\xa0   the\xc2\xa0 following\xc2\xa0 criteria\xc2\xa0 to\xc2\xa0 determine\xc2\xa0               Planning\xc2\xa0and\xc2\xa0Execution,\xc2\xa0\xe2\x80\x9cFull\xc2\xa0\n                     (EVMS)\xc2\xa0       Policy\xc2\xa0     for\xc2\xa0     IT\xc2\xa0   security\xc2\xa0 costs\xc2\xa0 for\xc2\xa0 a\xc2\xa0 specific\xc2\xa0                     Implementation\xc2\xa0of\xc2\xa0EVMS\xc2\xa0for\xc2\xa0IT\xc2\xa0\n                     Investments,\xc2\xa0 Section\xc2\xa0 4.2.1\xc2\xa0            investment:\xc2\xa0            The\xc2\xa0      products,\xc2\xa0           projects\xc2\xa0includes\xe2\x80\xa6\xc2\xa0comprehensive\xc2\xa0\n                     EVM\xc2\xa0 Data\xc2\xa0 Collection,\xc2\xa0 \xe2\x80\x9cThe\xc2\xa0            procedures,\xc2\xa0and\xc2\xa0personnel\xc2\xa0(Federal\xc2\xa0                    agency\xc2\xa0policies.\xe2\x80\x9d\xc2\xa0\n                     agency\xc2\xa0 EVM\xc2\xa0 policy\xc2\xa0 should\xc2\xa0             employees\xc2\xa0 and\xc2\xa0 contractors)\xc2\xa0 that\xc2\xa0               \xc2\xa0\n                     outline\xc2\xa0 a\xc2\xa0 systematic\xc2\xa0 way\xc2\xa0 to\xc2\xa0         are\xc2\xa0 primarily\xc2\xa0 dedicated\xc2\xa0 to\xc2\xa0 or\xc2\xa0 used\xc2\xa0               CIO\xc2\xa0Council\xc2\xa0A\xc2\xa0Framework\xc2\xa0for\xc2\xa0\n                     collect\xc2\xa0 data\xc2\xa0 necessary\xc2\xa0 to\xc2\xa0            for\xc2\xa0 provision\xc2\xa0 of\xc2\xa0 IT\xc2\xa0 security\xc2\xa0 for\xc2\xa0 the\xc2\xa0            Developing\xc2\xa0Earned\xc2\xa0Value\xc2\xa0\n                     support\xc2\xa0 EVM.\xc2\xa0 The\xc2\xa0 agency\xc2\xa0              specific\xc2\xa0 IT\xc2\xa0 investment.\xc2\xa0 \xc2\xa0 Do\xc2\xa0 not\xc2\xa0                  Management\xc2\xa0Systems\xc2\xa0(EVMS)\xc2\xa0Policy\xc2\xa0\n                     EVM\xc2\xa0 policy\xc2\xa0 should\xc2\xa0 describe\xc2\xa0           include\xc2\xa0 activities\xc2\xa0 performed\xc2\xa0 or\xc2\xa0                    for\xc2\xa0IT\xc2\xa0Investments,\xc2\xa0Section\xc2\xa04.2.3\xc2\xa0\n                     any\xc2\xa0 templates,\xc2\xa0 tools,\xc2\xa0 and\xc2\xa0            funded\xc2\xa0 by\xc2\xa0 the\xc2\xa0 OIG.\xc2\xa0 \xc2\xa0 When\xc2\xa0                         Integration\xc2\xa0with\xc2\xa0Portfolio\xc2\xa0\n                     systems\xc2\xa0          utilized\xc2\xa0      and\xc2\xa0    determining\xc2\xa0 the\xc2\xa0 percentage\xc2\xa0 of\xc2\xa0 IT\xc2\xa0                  Management,\xc2\xa0"Agency\xc2\xa0EVM\xc2\xa0policy\xc2\xa0\n                     additionally\xc2\xa0 provide\xc2\xa0 controls\xc2\xa0         security\xc2\xa0include\xc2\xa0the\xc2\xa0costs\xc2\xa0of:\xc2\xa0\xc2\xa0\xe2\x80\x90\xc2\xa0Risk\xc2\xa0                should\xc2\xa0address\xc2\xa0the\xc2\xa0use\xc2\xa0of\xc2\xa0EVMS\xc2\xa0\n                     to\xc2\xa0 ensure\xc2\xa0 the\xc2\xa0 data\xc2\xa0 is\xc2\xa0               assessment;\xc2\xa0\xe2\x80\x90\xc2\xa0Security\xc2\xa0planning\xc2\xa0and\xc2\xa0                   data\xc2\xa0and\xc2\xa0analysis\xc2\xa0to\xc2\xa0make\xc2\xa0\n                     collected\xc2\xa0 consistently\xc2\xa0 and\xc2\xa0            policy;\xc2\xa0     \xe2\x80\x90\xc2\xa0         Certification\xc2\xa0      &\xc2\xa0         management\xc2\xa0and\xc2\xa0IT\xc2\xa0portfolio\xc2\xa0\n                     reliably\xc2\xa0         to\xc2\xa0          inform\xc2\xa0   Accreditation;\xc2\xa0             \xe2\x80\x90\xc2\xa0        Specific\xc2\xa0        management\xc2\xa0and\xc2\xa0Capital\xc2\xa0Planning\xc2\xa0\n                     management\xc2\xa0 decisions.\xc2\xa0 The\xc2\xa0             management,\xc2\xa0 operational,\xc2\xa0 and\xc2\xa0                        and\xc2\xa0Investment\xc2\xa0Control\xc2\xa0(CPIC)\xc2\xa0\n                     agency\xc2\xa0 EVM\xc2\xa0 policy\xc2\xa0 should\xc2\xa0             technical\xc2\xa0 security\xc2\xa0 controls\xc2\xa0 (to\xc2\xa0                    decisions\xc2\xa0(i.e.,\xc2\xa0how\xc2\xa0and\xc2\xa0when\xc2\xa0is\xc2\xa0\n                     detail\xc2\xa0 any\xc2\xa0 systems\xc2\xa0 used\xc2\xa0 to\xc2\xa0          include\xc2\xa0 access\xc2\xa0 control\xc2\xa0 systems\xc2\xa0 as\xc2\xa0                 performance\xc2\xa0data\xc2\xa0received\xc2\xa0by\xc2\xa0the\xc2\xa0\n                     track\xc2\xa0 data\xc2\xa0 and\xc2\xa0 the\xc2\xa0 process\xc2\xa0          well\xc2\xa0 as\xc2\xa0 telecommunications\xc2\xa0 and\xc2\xa0                     agency;\xc2\xa0who\xc2\xa0reviews\xc2\xa0it;\xc2\xa0is\xc2\xa0further\xc2\xa0\n                     for\xc2\xa0 tracking\xc2\xa0 actual\xc2\xa0 costs\xc2\xa0 at\xc2\xa0        network\xc2\xa0security);\xc2\xa0\xe2\x80\x90\xc2\xa0Authentication\xc2\xa0                   analysis\xc2\xa0done;\xc2\xa0does\xc2\xa0the\xc2\xa0agency\xc2\xa0use\xc2\xa0a\xc2\xa0\n                     the\xc2\xa0 control\xc2\xa0 account\xc2\xa0 level.\xc2\xa0           or\xc2\xa0 cryptographic\xc2\xa0 applications;\xc2\xa0 \xe2\x80\x90\xc2\xa0                   tool\xc2\xa0to\xc2\xa0manage\xc2\xa0the\xc2\xa0data\xc2\xa0reported;\xc2\xa0\n                     The\xc2\xa0 agency\xc2\xa0 EVM\xc2\xa0 policy\xc2\xa0                Education,\xc2\xa0awareness,\xc2\xa0and\xc2\xa0training;\xc2\xa0                   how\xc2\xa0is\xc2\xa0performance\xc2\xa0information\xc2\xa0\n                     should\xc2\xa0 additionally\xc2\xa0 address\xc2\xa0           \xe2\x80\x90\xc2\xa0   System\xc2\xa0           reviews/evaluations\xc2\xa0            reported\xc2\xa0to\xc2\xa0senior\xc2\xa0management;\xc2\xa0\n                     collection\xc2\xa0 of\xc2\xa0 data\xc2\xa0 from\xc2\xa0 both\xc2\xa0        (including\xc2\xa0 security\xc2\xa0 control\xc2\xa0 testing\xc2\xa0                and\xc2\xa0what\xc2\xa0they\xc2\xa0do\xc2\xa0with\xc2\xa0the\xc2\xa0\n                     government\xc2\xa0 and\xc2\xa0 contractor\xc2\xa0             and\xc2\xa0 evaluation);\xc2\xa0 \xe2\x80\x90\xc2\xa0 Oversight\xc2\xa0 or\xc2\xa0                   information)."\xc2\xa0\xc2\xa0Section\xc2\xa04.2.4\xc2\xa0\n                     resources.\xe2\x80\x9d\xc2\xa0\xc2\xa0                            compliance\xc2\xa0             inspections;\xc2\xa0        \xe2\x80\x90\xc2\xa0        Training,\xc2\xa0"Agency\xc2\xa0EVM\xc2\xa0policy\xc2\xa0should\xc2\xa0\n            A.\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0Office\xc2\xa0of\xc2\xa0Budget\xc2\xa0Circular\xc2\xa0A\xe2\x80\x90          Development\xc2\xa0 and\xc2\xa0 maintenance\xc2\xa0 of\xc2\xa0                     outline\xc2\xa0guidelines\xc2\xa0on\xc2\xa0training\xc2\xa0for\xc2\xa0\n                     11,\xc2\xa0 p.9\xc2\xa0 of\xc2\xa0 section\xc2\xa0 230\xc2\xa0 Data\xc2\xa0        agency\xc2\xa0 reports\xc2\xa0 to\xc2\xa0 OMB\xc2\xa0 and\xc2\xa0                         program\xc2\xa0office\xc2\xa0staff\xc2\xa0and\xc2\xa0contractor\xc2\xa0\n                     Limitations,\xc2\xa0 "In\xc2\xa0 order\xc2\xa0 to\xc2\xa0            corrective\xc2\xa0 action\xc2\xa0 plans\xc2\xa0 as\xc2\xa0 they\xc2\xa0                   personnel\xc2\xa0on\xc2\xa0the\xc2\xa0analysis\xc2\xa0of\xc2\xa0\n                     assess\xc2\xa0 the\xc2\xa0 progress\xc2\xa0 towards\xc2\xa0          pertain\xc2\xa0to\xc2\xa0the\xc2\xa0specific\xc2\xa0investment;\xc2\xa0\xe2\x80\x90\xc2\xa0                 generated\xc2\xa0earned\xc2\xa0value\xc2\xa0data.\xc2\xa0\n                     achievement\xc2\xa0of\xc2\xa0performance\xc2\xa0              Contingency\xc2\xa0planning\xc2\xa0and\xc2\xa0testing;\xc2\xa0\xe2\x80\x90\xc2\xa0                   Suggestions\xc2\xa0for\xc2\xa0training\xc2\xa0include:\xc2\xa0\n                     goals,\xc2\xa0 the\xc2\xa0 performance\xc2\xa0 data\xc2\xa0          Physical\xc2\xa0      and\xc2\xa0         environmental\xc2\xa0             formal\xc2\xa0training\xc2\xa0classes;\xc2\xa0contractor\xe2\x80\x90\n                     must\xc2\xa0       be\xc2\xa0   accurate\xc2\xa0      and\xc2\xa0    controls\xc2\xa0     for\xc2\xa0       hardware\xc2\xa0        and\xc2\xa0         sponsored\xc2\xa0training;\xc2\xa0on\xe2\x80\x90the\xe2\x80\x90job\xc2\xa0\n                     reliable.\xc2\xa0 \xc2\xa0 Significant\xc2\xa0 or\xc2\xa0            software;\xc2\xa0        \xe2\x80\x90\xc2\xa0      Auditing\xc2\xa0       and\xc2\xa0         training;\xc2\xa0and\xc2\xa0training\xc2\xa0materials,\xc2\xa0\n                     known\xc2\xa0data\xc2\xa0limitations\xc2\xa0\xc2\xa0                 monitoring;\xc2\xa0\xe2\x80\x90\xc2\xa0Computer\xc2\xa0security\xc2\xa0                       available\xc2\xa0on\xc2\xa0performance\xc2\xa0\n            \xc2\xa0                                                                                                        management\xc2\xa0websites."\xc2\xa0Section\xc2\xa04.4\xc2\xa0\n                                                                                                                     Templates\xc2\xa0and\xc2\xa0Tools,\xc2\xa0"Templates\xc2\xa0\n                                                                                                                     and\xc2\xa0tools\xc2\xa0are\xc2\xa0not\xc2\xa0a\xc2\xa0substitute\xc2\xa0for\xc2\xa0the\xc2\xa0\n                                                                                                                     establishment\xc2\xa0and\xc2\xa0adherence\xc2\xa0to\xc2\xa0\n                                                                                                                     EVMS\xc2\xa0processes\xc2\xa0but\xc2\xa0can\xc2\xa0be\xc2\xa0used\xc2\xa0to\xc2\xa0\n\n\n\n\nAppendix A. KPMG LLP Report                                                                                                                   Page 30\n\x0c                                                                                                                                                     40\n\n\n                                                                                                                               FINAL REPORT\n\n          2008\xe2\x80\x901:\xc2\xa0Controls\xc2\xa0Over\xc2\xa0the\xc2\xa0Reliability\xc2\xa0              2008\xe2\x80\x902:\xc2\xa0Controls\xc2\xa0Over\xc2\xa0the\xc2\xa0                   2008\xe2\x80\x903:\xc2\xa0Controls\xc2\xa0Over\xc2\xa0the\xc2\xa0\n          of\xc2\xa0EVMS\xc2\xa0Data\xc2\xa0Should\xc2\xa0Be\xc2\xa0                             Reasonableness\xc2\xa0of\xc2\xa0Security\xc2\xa0Cost\xc2\xa0             Implementation\xc2\xa0and\xc2\xa0Use\xc2\xa0of\xc2\xa0EVMS\xc2\xa0In\xc2\xa0\n          Strengthened\xc2\xa0                                       Estimates\xc2\xa0and\xc2\xa0Reporting\xc2\xa0Should\xc2\xa0              Project\xc2\xa0Oversight\xc2\xa0Should\xc2\xa0Be\xc2\xa0\n                                                              Be\xc2\xa0Strengthened\xc2\xa0                             Strengthened\xc2\xa0\n\n\xc2\xa0\xc2\xa0                should\xc2\xa0 be\xc2\xa0 identified\xc2\xa0 in\xc2\xa0 the\xc2\xa0            investigations\xc2\xa0 and\xc2\xa0 forensics;\xc2\xa0 and\xc2\xa0 \xe2\x80\x90\xc2\xa0          assist\xc2\xa0in\xc2\xa0the\xc2\xa0management\xc2\xa0and\xc2\xa0\n                  performance\xc2\xa0             plan\xc2\xa0      and\xc2\xa0    Reviews,\xc2\xa0 inspections,\xc2\xa0 audits\xc2\xa0 and\xc2\xa0              reporting\xc2\xa0of\xc2\xa0EVMS\xc2\xa0data.\xc2\xa0The\xc2\xa0agency\xc2\xa0\n                  include\xc2\xa0 a\xc2\xa0 description\xc2\xa0 of\xc2\xa0 the\xc2\xa0           other\xc2\xa0 evaluations\xc2\xa0 performed\xc2\xa0 on\xc2\xa0                EVM\xc2\xa0policy\xc2\xa0should\xc2\xa0address\xc2\xa0the\xc2\xa0\n                  limitations,\xc2\xa0 the\xc2\xa0 impact\xc2\xa0 it\xc2\xa0 has\xc2\xa0         contractor\xc2\xa0facilities\xc2\xa0and\xc2\xa0operations.\xc2\xa0            development\xc2\xa0and\xc2\xa0review\xc2\xa0of\xc2\xa0any\xc2\xa0\n                  on\xc2\xa0 goal\xc2\xa0 achievement,\xc2\xa0 and\xc2\xa0                Other\xc2\xa0 than\xc2\xa0 those\xc2\xa0 costs\xc2\xa0 included\xc2\xa0              templates\xc2\xa0and\xc2\xa0specify\xc2\xa0all\xc2\xa0agency\xc2\xa0\n                  the\xc2\xa0 actions\xc2\xa0 that\xc2\xa0 will\xc2\xa0 be\xc2\xa0               above,\xc2\xa0 security\xc2\xa0 costs\xc2\xa0 may\xc2\xa0 also\xc2\xa0               tools\xc2\xa0used\xc2\xa0to\xc2\xa0collect,\xc2\xa0manage,\xc2\xa0and\xc2\xa0\n                  employed\xc2\xa0 to\xc2\xa0 correct\xc2\xa0 the\xc2\xa0                 include\xc2\xa0 the\xc2\xa0 products,\xc2\xa0 procedures,\xc2\xa0             report\xc2\xa0on\xc2\xa0EVMS\xc2\xa0data.\xe2\x80\x9d\xc2\xa0\n                  limitations.\xc2\xa0 \xc2\xa0 Performance\xc2\xa0                and\xc2\xa0 personnel\xc2\xa0 (Federal\xc2\xa0 employees\xc2\xa0         \xc2\xa0\n                  data\xc2\xa0 need\xc2\xa0 not\xc2\xa0 be\xc2\xa0 perfect\xc2\xa0 to\xc2\xa0           and\xc2\xa0 contractors)\xc2\xa0 that\xc2\xa0 have\xc2\xa0 as\xc2\xa0 an\xc2\xa0       B.   Unknown.\xc2\xa0\n                  be\xc2\xa0       reliable;\xc2\xa0        however\xc2\xa0        incidental\xc2\xa0or\xc2\xa0integral\xc2\xa0component,\xc2\xa0a\xc2\xa0         C.   PMI\'s\xc2\xa0Earned\xc2\xa0Value\xc2\xa0Management\xc2\xa0\n                  significant\xc2\xa0 data\xc2\xa0 limitations\xc2\xa0             quantifiable\xc2\xa0 benefit\xc2\xa0 to\xc2\xa0 IT\xc2\xa0 security\xc2\xa0          (EVM)\xc2\xa0Practice\xc2\xa0Standard\xc2\xa0\xe2\x80\x9cThe\xc2\xa0key\xc2\xa0\n                  can\xc2\xa0     lead\xc2\xa0     to\xc2\xa0    inaccurate\xc2\xa0       for\xc2\xa0 the\xc2\xa0 specific\xc2\xa0 IT\xc2\xa0 investment.\xc2\xa0 This\xc2\xa0        practices\xc2\xa0of\xc2\xa0EVM\xc2\xa0include:\xc2\xa0\n                  assessments\xc2\xa0         and\xc2\xa0        distort\xc2\xa0   includes\xc2\xa0                        system\xc2\xa0          \xe2\x80\xa2\xc2\xa0Establishing\xc2\xa0a\xc2\xa0performance\xc2\xa0\n                  performance\xc2\xa0results.\xe2\x80\x9d\xc2\xa0                      configuration/change\xc2\xa0 management\xc2\xa0                 measurement\xc2\xa0baseline\xc2\xa0(PMB)\xc2\xa0that\xc2\xa0\n           B.     PMI\'s\xc2\xa0        Earned\xc2\xa0             Value\xc2\xa0    control,\xc2\xa0     personnel\xc2\xa0       security,\xc2\xa0         includes\xc2\xa0decomposing\xc2\xa0work\xc2\xa0scope\xc2\xa0to\xc2\xa0\n                  Management\xc2\xa0(EVM)\xc2\xa0Practice\xc2\xa0                  physical\xc2\xa0     security,\xc2\xa0     operations\xc2\xa0          a\xc2\xa0manageable\xc2\xa0level;\xc2\xa0assigning\xc2\xa0\n                  Standard,\xc2\xa0\xe2\x80\x9cThe\xc2\xa0key\xc2\xa0practices\xc2\xa0               security,\xc2\xa0      privacy\xc2\xa0       training,\xc2\xa0         unambiguous\xc2\xa0management\xc2\xa0\n                  of\xc2\xa0      EVM\xc2\xa0        include\xc2\xa0         1)\xc2\xa0   program/system\xc2\xa0evaluations\xc2\xa0whose\xc2\xa0                 responsibility;\xc2\xa0developing\xc2\xa0a\xc2\xa0time\xe2\x80\x90\n                  Establishing\xc2\xa0 a\xc2\xa0 performance\xc2\xa0               primary\xc2\xa0 purpose\xc2\xa0 is\xc2\xa0 other\xc2\xa0 than\xc2\xa0                phased\xc2\xa0budget\xc2\xa0for\xc2\xa0each\xc2\xa0work\xc2\xa0task;\xc2\xa0\n                  measurement\xc2\xa0                 baseline\xc2\xa0      security,\xc2\xa0 systems\xc2\xa0 administrator\xc2\xa0                selecting\xc2\xa0EV\xc2\xa0measurement\xc2\xa0\n                  (PMB)\xc2\xa0           that\xc2\xa0       includes\xc2\xa0      functions,\xc2\xa0and,\xc2\xa0for\xc2\xa0example,\xc2\xa0system\xc2\xa0              techniques\xc2\xa0for\xc2\xa0all\xc2\xa0tasks;\xc2\xa0maintaining\xc2\xa0\n                  decomposing\xc2\xa0 work\xc2\xa0 scope\xc2\xa0 to\xc2\xa0               upgrades\xc2\xa0     within\xc2\xa0      which\xc2\xa0   new\xc2\xa0          integrity\xc2\xa0of\xc2\xa0PMB\xc2\xa0throughout\xc2\xa0the\xc2\xa0\n                  a\xc2\xa0       manageable\xc2\xa0              level;\xc2\xa0   features\xc2\xa0obviate\xc2\xa0the\xc2\xa0need\xc2\xa0for\xc2\xa0other\xc2\xa0              project.\xc2\xa0\n                  assigning\xc2\xa0           unambiguous\xc2\xa0           standalone\xc2\xa0security\xc2\xa0controls.\xe2\x80\x9d?\xc2\xa0                  \xe2\x80\xa2\xc2\xa0Measuring\xc2\xa0and\xc2\xa0analyzing\xc2\xa0\n                  management\xc2\xa0 responsibility;\xc2\xa0                \xc2\xa0                                                 performance\xc2\xa0against\xc2\xa0the\xc2\xa0baseline\xc2\xa0\n                  developing\xc2\xa0 a\xc2\xa0 time\xe2\x80\x90phased\xc2\xa0                                                                   that\xc2\xa0includes\xc2\xa0record\xc2\xa0resource\xc2\xa0usage\xc2\xa0\n                  budget\xc2\xa0 for\xc2\xa0 each\xc2\xa0 work\xc2\xa0 task;\xc2\xa0                                                               during\xc2\xa0project\xc2\xa0execution;\xc2\xa0objectively\xc2\xa0\n                  selecting\xc2\xa0 EV\xc2\xa0 measurement\xc2\xa0                                                                   measure\xc2\xa0the\xc2\xa0physical\xc2\xa0work\xc2\xa0progress;\xc2\xa0\n                  techniques\xc2\xa0 for\xc2\xa0 all\xc2\xa0 tasks;\xc2\xa0                                                                 crediting\xc2\xa0EV\xc2\xa0according\xc2\xa0to\xc2\xa0EV\xc2\xa0\n                  maintaining\xc2\xa0integrity\xc2\xa0of\xc2\xa0PMB\xc2\xa0                                                                 techniques;\xc2\xa0analyzing\xc2\xa0and\xc2\xa0forecasting\xc2\xa0\n                  throughout\xc2\xa0 the\xc2\xa0 project\xc2\xa0 and\xc2\xa0                                                                cost/schedule\xc2\xa0performance;\xc2\xa0\n                  2)\xc2\xa0 Measuring\xc2\xa0 and\xc2\xa0 analyzing\xc2\xa0                                                                reporting\xc2\xa0performance\xc2\xa0problems\xc2\xa0\n                  performance\xc2\xa0 against\xc2\xa0 the\xc2\xa0                                                                    and/or\xc2\xa0take\xc2\xa0action>\xc2\xa0\xe2\x80\x9c?\xc2\xa0\n                  baseline\xc2\xa0that\xc2\xa0includes\xc2\xa0record\xc2\xa0                                                                \xc2\xa0\n                  resource\xc2\xa0         usage\xc2\xa0         during\xc2\xa0                                                 D.   Unknown.\xc2\xa0\n                  project\xc2\xa0                  execution;\xc2\xa0\n                  objectively\xc2\xa0       measure\xc2\xa0         the\xc2\xa0\n                  physical\xc2\xa0        work\xc2\xa0      progress;\xc2\xa0\n                  crediting\xc2\xa0 EV\xc2\xa0 according\xc2\xa0 to\xc2\xa0 EV\xc2\xa0\n                  techniques;\xc2\xa0 analyzing\xc2\xa0 and\xc2\xa0\n                  forecasting\xc2\xa0        cost/schedule\xc2\xa0\n                  performance;\xc2\xa0              reporting\xc2\xa0\xc2\xa0\n                  performance\xc2\xa0               problems\xc2\xa0\n                  and/or\xc2\xa0take\xc2\xa0action.\xc2\xa0\n\n\n\nAppendix A. KPMG LLP Report                                                                                                               Page 31\n\x0c                                                                                                                                           41\n\n\n                                                                                                                       FINAL REPORT\n\n                    2008\xe2\x80\x901:\xc2\xa0Controls\xc2\xa0Over\xc2\xa0the\xc2\xa0Reliability\xc2\xa0   2008\xe2\x80\x902:\xc2\xa0Controls\xc2\xa0Over\xc2\xa0the\xc2\xa0             2008\xe2\x80\x903:\xc2\xa0Controls\xc2\xa0Over\xc2\xa0the\xc2\xa0\n                    of\xc2\xa0EVMS\xc2\xa0Data\xc2\xa0Should\xc2\xa0Be\xc2\xa0                  Reasonableness\xc2\xa0of\xc2\xa0Security\xc2\xa0Cost\xc2\xa0       Implementation\xc2\xa0and\xc2\xa0Use\xc2\xa0of\xc2\xa0EVMS\xc2\xa0In\xc2\xa0\n                    Strengthened\xc2\xa0                            Estimates\xc2\xa0and\xc2\xa0Reporting\xc2\xa0Should\xc2\xa0        Project\xc2\xa0Oversight\xc2\xa0Should\xc2\xa0Be\xc2\xa0\n                                                             Be\xc2\xa0Strengthened\xc2\xa0                       Strengthened\xc2\xa0\n\nRecommendation\xc2\xa0     A.   Ensure\xc2\xa0that\xc2\xa0controls\xc2\xa0over\xc2\xa0the\xc2\xa0      A,\xc2\xa0B.\xc2\xa0Consider\xc2\xa0incorporating\xc2\xa0the\xc2\xa0      A.   Evaluate,\xc2\xa0complete\xc2\xa0and\xc2\xa0promulgate\xc2\xa0\n                         process\xc2\xa0of\xc2\xa0collecting\xc2\xa0and\xc2\xa0          standards\xc2\xa0for\xc2\xa0security\xc2\xa0budgeting\xc2\xa0as\xc2\xa0        the\xc2\xa0EVM\xc2\xa0policy\xc2\xa0and\xc2\xa0Implementation\xc2\xa0\n                         reporting\xc2\xa0EVM\xc2\xa0data\xc2\xa0contain\xc2\xa0         described\xc2\xa0in\xc2\xa0the\xc2\xa0observations,\xc2\xa0             Guide.\xc2\xa0\n                         adequate\xc2\xa0provisions\xc2\xa0for\xc2\xa0            promulgate\xc2\xa0and\xc2\xa0monitor\xc2\xa0the\xc2\xa0use\xc2\xa0of\xc2\xa0     B.   Evaluate\xc2\xa0the\xc2\xa0cost/benefits\xc2\xa0of\xc2\xa0\n                         controlling\xc2\xa0access\xc2\xa0and\xc2\xa0changes\xc2\xa0     the\xc2\xa0standards\xc2\xa0across\xc2\xa0modes.\xc2\xa0                leveraging\xc2\xa0an\xc2\xa0enterprise\xc2\xa0technology\xc2\xa0\n                         to\xc2\xa0the\xc2\xa0EVM\xc2\xa0data.\xc2\xa0\xc2\xa0In\xc2\xa0addition,\xc2\xa0     \xc2\xa0                                           for\xc2\xa0managing\xc2\xa0projects\xc2\xa0and\xc2\xa0\n                         adequate\xc2\xa0controls\xc2\xa0should\xc2\xa0be\xc2\xa0                                                    calculating\xc2\xa0EVM\xc2\xa0project\xc2\xa0level\xc2\xa0data.\xc2\xa0\n                         included\xc2\xa0over\xc2\xa0the\xc2\xa0analysis\xc2\xa0and\xc2\xa0                                            C.   Consider\xc2\xa0incorporating\xc2\xa0the\xc2\xa0standards\xc2\xa0\n                         monitoring\xc2\xa0processes\xc2\xa0in\xc2\xa0order\xc2\xa0                                                  for\xc2\xa0applying\xc2\xa0EVM\xc2\xa0in\xc2\xa0project\xc2\xa0\n                         to\xc2\xa0verify\xc2\xa0the\xc2\xa0accuracy\xc2\xa0and\xc2\xa0                                                     requirements\xc2\xa0as\xc2\xa0described\xc2\xa0in\xc2\xa0the\xc2\xa0\n                         completeness\xc2\xa0of\xc2\xa0the\xc2\xa0EVM\xc2\xa0data.\xc2\xa0\xc2\xa0                                                 observations\xc2\xa0and\xc2\xa0incorporate\xc2\xa0in\xc2\xa0the\xc2\xa0\n                         These\xc2\xa0provisions\xc2\xa0should\xc2\xa0be\xc2\xa0                                                     to\xe2\x80\x90be\xc2\xa0released\xc2\xa0EVM\xc2\xa0Implementation\xc2\xa0\n                         contained\xc2\xa0in\xc2\xa0related\xc2\xa0EVM\xc2\xa0policy\xc2\xa0                                                Guide.\xc2\xa0\n                         and\xc2\xa0implementation\xc2\xa0                                                        D.   Consider\xc2\xa0incorporating\xc2\xa0the\xc2\xa0standards\xc2\xa0\n                         procedures\xc2\xa0and\xc2\xa0in\xc2\xa0                                                              for\xc2\xa0implementing\xc2\xa0and\xc2\xa0using\xc2\xa0EVM\xc2\xa0as\xc2\xa0\n                         corresponding\xc2\xa0SOW\xc2\xa0with\xc2\xa0                                                         described\xc2\xa0in\xc2\xa0the\xc2\xa0observations\xc2\xa0and\xc2\xa0\n                         contractors.\xc2\xa0                                                                   incorporate\xc2\xa0in\xc2\xa0the\xc2\xa0to\xe2\x80\x90be\xc2\xa0released\xc2\xa0\n                    B.   Consider\xc2\xa0incorporating\xc2\xa0the\xc2\xa0                                                     EVM\xc2\xa0Implementation\xc2\xa0Guide.\xc2\xa0\n                         standards\xc2\xa0for\xc2\xa0estimating\xc2\xa0                                                  \xc2\xa0\n                         project\xc2\xa0requirements\xc2\xa0as\xc2\xa0                                                   \xc2\xa0\n                         described\xc2\xa0in\xc2\xa0the\xc2\xa0observations\xc2\xa0\n                         and\xc2\xa0incorporate\xc2\xa0in\xc2\xa0the\xc2\xa0to\xe2\x80\x90be\xc2\xa0\n                         released\xc2\xa0EVM\xc2\xa0Implementation\xc2\xa0\n                         Guide.\xc2\xa0\n                    \xc2\xa0\nApplicable\xc2\xa0         A.   FMCSA,\xc2\xa0PHMSA,\xc2\xa0FAA\xc2\xa0                  A.   OST\xc2\xa0                              A.   OST\xc2\xa0\nModes\xc2\xa0              B.   OST\xc2\xa0                                B.   OST\xc2\xa0                              B.   OST\xc2\xa0\n                    \xc2\xa0                                                                               C.   OST\xc2\xa0\n                    \xc2\xa0                                                                               D.a.\xc2\xa0\xc2\xa0PHMSA,\xc2\xa0NHTSA\xc2\xa0\n                                                                                                    D.b.\xc2\xa0\xc2\xa0OST,\xc2\xa0NHTSA,\xc2\xa0FMCSA,\xc2\xa0PHMSA\xc2\xa0\n                                                                                                    D.c.\xc2\xa0\xc2\xa0OST,\xc2\xa0NHTSA,\xc2\xa0FMCSA,\xc2\xa0PHMSA\xc2\xa0\n                                                                                                    D.d.\xc2\xa0OST,\xc2\xa0PHMSA\xc2\xa0\n                                                                                                    D.e.\xc2\xa0NHTSA\xc2\xa0\n                                                                                                    \xc2\xa0\nApplicable\xc2\xa0major\xc2\xa0   A.   FAA\xc2\xa0(ASOS/AWOS,\xc2\xa0ATM/TFM,\xc2\xa0           A.   IT\xc2\xa0Combined\xc2\xa0Infrastructure\xc2\xa0       A.   N/A\xc2\xa0\nIT\xc2\xa0investments\xc2\xa0          ATOP;\xc2\xa0PHMSA\xc2\xa0(SMART);\xc2\xa0FMCSA\xc2\xa0         B.   IT\xc2\xa0Combined\xc2\xa0Infrastructure\xc2\xa0       B.   N/A\xc2\xa0\n                         (FMCSA\xc2\xa0Modernization)\xc2\xa0              \xc2\xa0                                      C.   N/A\xc2\xa0\n                    B.   N/A\xc2\xa0                                                                       D.a.\xc2\xa0FAA\xc2\xa0(ASOS/AWOS,\xc2\xa0ATOP);\xc2\xa0PHMSA\xc2\xa0\n                    \xc2\xa0                                                                               (SMART);\xc2\xa0FMCSA\xc2\xa0(FMCSA\xc2\xa0Modernization)\xc2\xa0\n                    \xc2\xa0                                                                               D.b.\xc2\xa0FAA\xc2\xa0(TAMR,\xc2\xa0ASOS/AWOS);\xc2\xa0PHMSA\xc2\xa0\n                                                                                                    (SMART);\xc2\xa0FMCSA\xc2\xa0(FMCSA\xc2\xa0Modernization)\xc2\xa0\n                                                                                                    D.c.\xc2\xa0FAA\xc2\xa0(ATM/TFM,\xc2\xa0ATOP);\xc2\xa0PHMSA\xc2\xa0\n                                                                                                    (SMART);\xc2\xa0FMCSA\xc2\xa0(FMCSA\xc2\xa0Modernization)\xc2\xa0\n                                                                                                    D.d.\xc2\xa0PHMSA\xc2\xa0(SMART)\xc2\xa0\n                                                                                                    D.e.\xc2\xa0N/A\xc2\xa0\n                                                                                                    \xc2\xa0\n\n\n\n\nAppendix A. KPMG LLP Report                                                                                                      Page 32\n\x0c                                                                                            42\n\n\n                                                                               FINAL REPORT\n\n\nMANAGEMENT RESPONSE TO REPORT\n\nThe Office of Inspector General (OIG) will be issuing a separate report for which this\nperformance audit report will be included as an appendix. The Department of Transportation\xe2\x80\x99s\n(DOT) management response, including concurrence or non-concurrence to the findings and\nrecommendations in this performance audit report, will be included as part of the OIG\xe2\x80\x99s overall\nreport.\n\n\n\n\nAppendix A. KPMG LLP                                                                 Page   33\n\x0c           APPENDIX B. MANAGEMENT RESPONSE                                                    43\n\n\n\n\n           U.S. Department of\n                                                    Memorandum\n           Transportation\n           Office of the Secretary\n           of Transportation\n\nSubject:   ACTION: Management Response to Office of                 Date:    April 10, 2009\n           Inspector General Draft Report, \xe2\x80\x9cQuality Control\n           Review of the Department\xe2\x80\x99s Implementation of\n           Earned Value Management and Security Cost\n           Reporting.\xe2\x80\x9d\n\n  From:    Jacquelyn Patillo                                     Reply to\n                                                                 Attn. of:   S-81, x69201\n            Acting Chief Information Officer, DOT\n    To:    Rebecca C. Leng\n           Assistant Inspector General for Financial\n            and Information Technology Audits\n\n           Thank you for providing us with the draft report of your audit, "Quality Control\n           Review of the Department\'s Implementation of Earned Value Management and\n           Security Cost Reporting." We appreciate the recommendations in your report and\n           will use them to help achieve full compliance with key OMB requirements for\n           Earned Value Management (EVM) implementation.\n\n           Recommendation 1. Establish a target date to complete and distribute the DOT\n           EVM implementation guidance to Operating Administrations This guidance\n           should document processes and practices consistent with guidelines published\n           by OMB and address the detailed recommendations included in KPMG\'s report\n           in Appendix A.\n\n           Concur. The Office of the Chief Information Office will issue an expanded DOT\n           Earned Value Management policy and associated guideline no later than\n           September 30, 2009. The DOT EVM policy will include EVM best practices to\n           ensure controls over collecting and reporting EVM data are established,\n           implemented, and monitored. The controls will include techniques for planning,\n           estimating, change control, integrated baseline reviews, reporting, conducting\n           operational analysis and taking corrective actions. The EVM guideline will\n           include the standards, processes, and templates to be used by the DOT Operating\n\n           Appendix B. Management Response\n\x0c                                                                               44\n\nAdministrations. The EVM guideline will be developed in accordance with OMB\nA-11 requirements and in consideration of the recommendations detailed in\nKPMG\'s report.\n\nRecommendation 2. Require Operating Administrations to review all major IT\ninvestments in the development phase for compliance with key OMB\nrequirements for EVM implementation and report results to the CIO office.\nEnsure that Operating Administrations establish a target date for correcting\ndeficiencies found.\n\nConcur. Each Operating Administration currently has a POA&M for full\nimplementation of EVM and progress on the actions is reported to the CIO office.\nDOT has already begun incorporating EVM as a topic of discussion during\nInvestment Review Board meetings. In addition, the DOT Health of the\nInvestment / Program Management Review monitoring and reporting tools are\nbeing consolidated to ensure a holistic view of each investment is reviewed and\nevaluated by DOT senior management. \'This consolidated assessment will be the\nprimary EVM monthly data submission platform, allowing data discrepancies at\nthe investment level to be quickly identified and mitigated and require that\noperating administrations establish target dates. DOT expects to reach the goal of\nfull compliance with key OMB requirements for EVM implementation by\nDecember 2009.\n\nRecommendation 3. Establish security cost estimation standards consistent with\nthe National Institute and Standards and Technology, require Operating\nAdministrations to follow the standards, and verify compliance with the\nstandards by performing a sample review of Operating Administrations\' security\ncost estimate submission.\n\nConcur. DOT\'s analysis of security cost estimating practices has also shown that\nwhile, the Operating Administration are using cost estimating techniques as part of\ntheir IT investment processes, they would benefit from greater consistency across\norganizations. By June 30, 2009, the DOT CIO will issue a guidance document to\nidentify Department wide expectations intended to standardize the Operating\nAdministration security cost estimating techniques to in accordance with National\nInstitute of Standards and Technology Control Families. In order to help ensure\ncompliance with this guidance, by August 30, 2009, DOT will conduct sample\nreviews to verify that the security cost estimating guidelines are being utilized in\npreparing the Exhibit 300s for Budget Year 2011.\n\n                                         #\n\nAppendix B. Management Response\n\x0c'